Snort VRT Rules



  • I am brand new to pfSense and have installed Snort which ran for a day then wouldn't start.  I ran through a couple uninstall and installs and it miraculously starts and stops now however the VRT rules won't download (this was noticed before I ever did the first uninstall) and has an MD5 checksum error.



  • Getting the same issue for the last week or so. Usually uninstalling/reinstalling snort resolves the issue but it does not seem to be working this time. See attachment.

    Regards,




  • Hi, same Problem here:

    Community Rules update works but VRT Rules update fails!

    The Snort-log shows a md5-sum missmatch!

    Starting rules update...  Time: 2016-07-12 09:45:23
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    	Checking Snort VRT rules md5 file...
    	There is a new set of Snort VRT rules posted.
    	Downloading file 'snortrules-snapshot-2983.tar.gz'...
    	Done downloading rules file.
    	Snort VRT rules file download failed.  Bad MD5 checksum.
    	Downloaded Snort VRT rules file MD5: ecb6e1b7bdf6024a6a1dfbb813e108d6
    	Expected Snort VRT rules file MD5: 
    	Snort VRT rules file download failed.  Snort VRT rules will not be updated.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading rules file.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    The Rules update has finished.  Time: 2016-07-12 09:47:09
    
    

    I tried to manually download and verify the Ruleset:

    # md5sum snortrules-snapshot-2983.tar.gz -c snort.md5 
    md5sum: snortrules-snapshot-2983.tar.gz: keine korrekt formatierte MD5‐Prüfsummenzeile gefunden
    snortrules-snapshot-2983.tar.gz: OK
    
    

    The interesting part:

    keine korrekt formatierte MD5‐Prüfsummenzeile gefunden

    means: "no correct formatted MD5-Checksum line found"

    Checked on Debian 8 with md5sum (GNU coreutils) 8.23



  • @simon_rfm:

    Hi, same Problem here:

    Community Rules update works but VRT Rules update fails!

    The Snort-log shows a md5-sum missmatch!

    Starting rules update...  Time: 2016-07-12 09:45:23
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    	Checking Snort VRT rules md5 file...
    	There is a new set of Snort VRT rules posted.
    	Downloading file 'snortrules-snapshot-2983.tar.gz'...
    	Done downloading rules file.
    	Snort VRT rules file download failed.  Bad MD5 checksum.
    	Downloaded Snort VRT rules file MD5: ecb6e1b7bdf6024a6a1dfbb813e108d6
    	Expected Snort VRT rules file MD5: 
    	Snort VRT rules file download failed.  Snort VRT rules will not be updated.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading rules file.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    The Rules update has finished.  Time: 2016-07-12 09:47:09
    
    

    I tried to manually download and verify the Ruleset:

    # md5sum snortrules-snapshot-2983.tar.gz -c snort.md5 
    md5sum: snortrules-snapshot-2983.tar.gz: keine korrekt formatierte MD5‐Prüfsummenzeile gefunden
    snortrules-snapshot-2983.tar.gz: OK
    
    

    The interesting part:

    keine korrekt formatierte MD5‐Prüfsummenzeile gefunden

    means: "no correct formatted MD5-Checksum line found"

    Checked on Debian 8 with md5sum (GNU coreutils) 8.23

    The actual MD5 checksum file from the Snort VRT site either failed to download correctly or contains an empty string.  This line is the clue:

    
    	Expected Snort VRT rules file MD5: 
    
    

    Snort downloads the actual VRT gzip archive of rules and also the small MD5 file from the Snort VRT site.  It then calculates its own local MD5 checksum of the rules gzip file and compares it to the value it found in the downloaded MD5 file.  If they do not match, it assumes the VRT rules download failed.  Snort prints the checksum it expected to find in the download MD5 file to the log and then also logs its calculated value for the VRT gzip file.  You can see in the log snippet above the value from the downloaded MD5 file was blank.

    I suspect there maybe is a temporary glitch in the MD5 checksum file posted on the Snort VRT site.  It should get corrected soon.

    Bill



  • if you want to temporarily ignore the MD5 issue for VRT rules, do the following:

    Open the /usr/local/pkg/snort/snort_check_for_rule_updates.php in your favorite editor, go to line 459, and add $snortdownload == 'on';

        457
        458 /* Untar Snort rules file to tmp and install the rules */
        459 $snortdownload == 'on';
        460 if ($snortdownload == 'on') {
    

    Then go to the Snort -> Update tab and click Force Update

    I recommend removing line 459 once this is completed.



  • My Snort VRT rules just updated.  No more MD5 issues.