Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort: No more VRT-Updates? -> Snort-Version too old?

    IDS/IPS
    6
    14
    3562
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      user12
      last edited by

      Hi,

      since about 3-4 days my Snort VRT-Rules won't Update anymore (I'm using a free Oinkcode).
      In my snort.org-profile I'm also no longer able to download the 2980-Rulesets anymore as they seem to be outdated.

      My question: What can I do, will there soon be newer Version of Snort, so I can properly use it in the future?
      Is there anybody else having this problem?

      Update-Logfile:

      
      Starting rules update...  Time: 2016-07-03 14:09:12
      	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
      	Snort VRT rules md5 download failed.
      	Server returned error code 422.
      	Server error message was: 
      	Snort VRT rules will not be updated.
      	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
      	Checking Snort OpenAppID detectors md5 file...
      	Snort OpenAppID detectors are up to date.
      	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
      	Checking Snort GPLv2 Community Rules md5 file...
      	There is a new set of Snort GPLv2 Community Rules posted.
      	Downloading file 'community-rules.tar.gz'...
      	Done downloading rules file.
      	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
      	Checking Emerging Threats Open rules md5 file...
      	Emerging Threats Open rules are up to date.
      	Extracting and installing Snort GPLv2 Community Rules...
      	Installation of Snort GPLv2 Community Rules completed.
      	Copying new config and map files...
      	Updating rules configuration for: WAN ...
      	Restarting Snort to activate the new set of rules...
      	Snort has restarted with your new set of rules.
      The Rules update has finished.  Time: 2016-07-03 14:09:23
      
      
      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Hi,

        recognized this same behaviour today, too.
        Running the latest snort package available for pfsense.

        Regards

        1 Reply Last reply Reply Quote 0
        • U
          user12
          last edited by

          What do you do?
          Just accept it for the moment, waiting for an update?

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            I am only using this in my private home environment. I will wait some time. I assume that the maintainer bmeeks will recognize this, too, and will provide a fix. Or it is a problem with snort.org.

            1 Reply Last reply Reply Quote 0
            • S
              stownplayer
              last edited by

              same here. I just registered to post about it.  I talked to someone at Snort and got a quick reply. The url pfsense is using is not the right one and needs to be updated. Seems mine is attemping to download 2980 rules, where It should be trying to download 2983 rules. Maybe a good feature where we can manually update?

              Bad timing for me I guess. I purchased the upgraded rules a few days ago. lol

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                My bad for being late on the package update.  Look for this to be fixed in another day or two.  The correct package has been posted for the pfSense team to review and merge.  The long Independence Day weekend here in the U.S. is slowing things down.  I did not post the update for them to review until late this past Friday evening.

                Bill

                1 Reply Last reply Reply Quote 0
                • S
                  stownplayer
                  last edited by

                  No worries. Thanks for all your hard work. Great product! I use it at home and at the business network I manage. Take it easy and have a happy 4th!

                  1 Reply Last reply Reply Quote 0
                  • S
                    stownplayer
                    last edited by

                    Any Eta on this or any special instructions we need to know about. I still have no updates yet.

                    1 Reply Last reply Reply Quote 0
                    • S
                      stownplayer
                      last edited by

                      another post. Just update snort from packages. There is a squid update as well… unrelated. lol . Thanks

                      1 Reply Last reply Reply Quote 0
                      • D
                        DeeeePIMPact
                        last edited by

                        Worked on 7/12/16 BUT hasn't updated since.  I "Forced Update" and I get a

                        "Snort GPLv2 Community Rules md5 download failed.
                          Server returned error code 0."

                        Any suggestions?

                        1 Reply Last reply Reply Quote 0
                        • D
                          DeeeePIMPact
                          last edited by

                          Never mind.  I reverted back to a early restore point when I didn't install squid in the last 2 days and snort updates correctly.

                          I am guessing squid is blocking snort updates, and pfsense packages.

                          1 Reply Last reply Reply Quote 0
                          • D
                            DeeeePIMPact
                            last edited by

                            I figured I'd update this with what turned out to be the actual problem.

                            It was not SQUID it was PFBLOCKER and a BOGON list I had installed from iBlocklist.com….

                            PFBLOCKER Bogon list was blocking the SNORT VRT Rules and other updates.  Kind of weird as this hasn't happened before and I've been using these lists for quite sometime...

                            ohh well...  at least I figured it out :)

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by

                              @DeeeePIMPact:

                              I figured I'd update this with what turned out to be the actual problem.

                              It was not SQUID it was PFBLOCKER and a BOGON list I had installed from iBlocklist.com….

                              PFBLOCKER Bogon list was blocking the SNORT VRT Rules and other updates.  Kind of weird as this hasn't happened before and I've been using these lists for quite sometime...

                              ohh well...  at least I figured it out :)

                              IP addresses can come and go on lists like that.  Every now and then it would not be unexpected for a legitimate site to maybe pickup an IP that was once a bad guy's.  Just like phone numbers can be reused, so to can IP addresses.  That's one issue in my personal view with lists of so-called "bad IP addresses".  They can sometimes get a little stale and block legitimate sites that happened to get assigned one of those formerly bad IP addresses.  Remember, there are no more IPv4 addresses, so the existing pool will keep getting recycled as old sites die and new sites need an IP to come online.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • O
                                oddworld19
                                last edited by

                                I, too, am unable to download snort updates.

                                Specifically, there are two issues:

                                1. I have unchecked "Click to retain Snort settings after package removal." Then uninstalled, then rebooted, and still Snort remembers my settings (including my oinkmaster code)

                                2. Ignoring that….. and more importantly, when trying to update VRT rules using snort 3.2.9.1_14, I get the following error. Any ideas?

                                Starting rules update...  Time: 2016-08-11 22:05:58
                                	Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
                                	Checking Snort VRT rules md5 file...
                                	There is a new set of Snort VRT rules posted.
                                	Downloading file 'snortrules-snapshot-2983.tar.gz'...
                                	Snort VRT rules file download failed.  Server returned error 0.
                                	The error text was: Connection timed out after 15015 milliseconds
                                	Snort VRT rules will not be updated.
                                The Rules update has finished.  Time: 2016-08-11 22:07:59
                                

                                I have tried more than 10 times over the last 3 days.

                                I run the following packages:

                                pfblockerNG 2.1.1_1 with TLD features enabled

                                squid

                                Squidguard

                                Machine:
                                C2758
                                16 Gigs ECC ram
                                4 onboard intel NIC
                                1x PCI-e intel 4 port pro/1000 PT

                                Supermicro SYS-5018A-FTN4 (Atom c2758)
                                pfSense 2.3.2

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post