Snort: Won't Update, bad checksum



  • Hello,

    since last night my two pfSense-Installations won't Update their Snort-Rules anymore… why?
    Even forcing didn't work, neither did a reboot...

    
    Starting rules update...  Time: 2016-07-12 08:09:19
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    	Checking Snort VRT rules md5 file...
    	There is a new set of Snort VRT rules posted.
    	Downloading file 'snortrules-snapshot-2983.tar.gz'...
    	Done downloading rules file.
    	Snort VRT rules file download failed.  Bad MD5 checksum.
    	Downloaded Snort VRT rules file MD5: ecb6e1b7bdf6024a6a1dfbb813e108d6
    	Expected Snort VRT rules file MD5: 
    	Snort VRT rules file download failed.  Snort VRT rules will not be updated.
    	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    	Checking Snort OpenAppID detectors md5 file...
    	There is a new set of Snort OpenAppID detectors posted.
    	Downloading file 'snort-openappid.tar.gz'...
    	Done downloading rules file.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading rules file.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	There is a new set of Emerging Threats Open rules posted.
    	Downloading file 'emerging.rules.tar.gz'...
    	Done downloading rules file.
    	Extracting and installing Snort OpenAppID detectors...
    	Installation of Snort OpenAppID detectors completed.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Extracting and installing Emerging Threats Open rules...
    	Installation of Emerging Threats Open rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: LAN ...
    	Restarting Snort to activate the new set of rules...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2016-07-12 08:10:55
    
    


  • 2.3.1-RELEASE-p5

    I had the same problem tonight.  At first I had a bad checksum.  I restored to a known backup where I knew Snort was downloading VRT rules.

    NOW, Snort is giving me a "Server returned error code 422" error.  I had this error a couple nights ago but noticed that Snort had a new version come out.  I was using Snort Ver. 3.2.9.1_13.  After I upgraded Snort to 3.2.9.1_14 the "Server returned error code 422" went away for the past 2 days….

    BUT the "Server returned error code 422" has come back to haunt me tonight.  My thinking is Snort is having issues with 2.3.1_5???

    Have you tried reinstalling Snort or reverting to a saved backup image?



  • +1
    Problem started yesterday..

    Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5…
    Checking Snort VRT rules md5 file...
    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2983.tar.gz'...
    Done downloading rules file.
    Snort VRT rules file download failed.  Bad MD5 checksum.
    Downloaded Snort VRT rules file MD5: ebg4rf610e0f417ae97bb9efd30e73e1
    Expected Snort VRT rules file MD5:
    Snort VRT rules file download failed.  Snort VRT rules will not be updated.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    Snort GPLv2 Community Rules are up to date.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    Emerging Threats Open rules are up to date.


    pfSense version = latest
    pfSense Snort package = latest



  • There must have been changes on Snort side.

    I can download ET rules, Community rules, but not the VRT subscribed ones. I guess we have to wait.



  • same problem… hopefully there will be a fix soon!



  • +1

    I described the problem alredy in another thread before i found this one:
    https://forum.pfsense.org/index.php?topic=114954.msg638677#msg638677

    a manual verify of the file shows a correct checksum, but a problem with the line format?!



  • I think there is an issue with the MD5 checksum file posted along with the VRT rules.  That file is not formatted correctly (or at least is not formatted like it has been).  I suspect the Snort guys will get it fixed soon.

    Snort on pfSense downloads both the gzip rules archive and the posted MD5 checksum file from the VRT site.  It then calculates its own local MD5 checksum of the downloaded gzip archive and compares it to the value stored in the downloaded MD5 file.  If they don't match, it assumes the download failed and aborts updating the VRT rule set.

    You can see in the log snippets some folks posted that the "expected MD5 value" is showing up as blank.  That is not correct and indicates a problem in the downloaded MD5 checksum file's content.

    Bill



  • if you want to temporarily ignore the MD5 issue for VRT rules, do the following:

    Open the /usr/local/pkg/snort/snort_check_for_rule_updates.php in your favorite editor, go to line 459, and add $snortdownload == 'on';

        457
        458 /* Untar Snort rules file to tmp and install the rules */
        459 $snortdownload == 'on';
        460 if ($snortdownload == 'on') {
    

    Then go to the Snort -> Update tab and click Force Update

    I recommend removing line 459 once this is completed.



  • @bmeeks and Paint,

    Thank you for the info.

    It's working now.

    Snort is the only package I use in pfSense and I use on both interfaces ( strict mode).

    It's perfect.. I love it.



  • Same here, working now!



  • Worked on 7/12/16 BUT hasn't updated since.  I "Forced Update" and I get a

    "Snort GPLv2 Community Rules md5 download failed.
    Server returned error code 0."

    Any suggestions?



  • @DeeeePIMPact:

    Worked on 7/12/16 BUT hasn't updated since.  I "Forced Update" and I get a

    "Snort GPLv2 Community Rules md5 download failed.
    Server returned error code 0."

    Any suggestions?

    Try this…. https://forum.pfsense.org/index.php?topic=114960.msg638743#msg638743



  • Thank You for the quick response!  I got it working.  In the last 2 days I've installed squid.

    I reverted back to a early restore point when I didn't install squid in the last 2 days and snort updates correctly.

    I am guessing squid is somehow blocking snort updates, and pfsense packages.



  • I figured I'd update this with what turned out to be the actual problem.

    It was not SQUID it was PFBLOCKER and a BOGON list I had installed from iBlocklist.com….

    PFBLOCKER Bogon list was blocking the SNORT VRT Rules and other updates.  Kind of weird as this hasn't happened before and I've been using these lists for quite sometime...

    ohh well...  at least I figured it out :)



  • Has this snort download issue been fixed?  I was planning on buying into the snort rules tomorrow.



  • @battles:

    Has this snort download issue been fixed?  I was planning on buying into the snort rules tomorrow.

    Yes, it has been fixed since the day it was reported.  The problem was a corrupted MD5 checksum file stored on the Snort VRT rules web site.

    Bill



  • Hello,

    I'm also struggling to get rules updated after REinstalling pfSense-pkg-snort-3.2.9.1_14.  I've tried adding and removing line 459 and "force update" per the solution given by Paint on 07/12/2016 with no success. I'm noticing the MD5 codes listed for both the downloaded and expected rules files.

    Any suggestions about other things I can try?

    Thanks!

    Starting rules update…  Time: 2017-01-04 15:45:04
    Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2983.tar.gz'...
    Done downloading rules file.
    Snort VRT rules file download failed.  Bad MD5 checksum.
    Downloaded Snort VRT rules file MD5: 6526bfd0ecb40f147434e9ebf4e6d760
    Expected Snort VRT rules file MD5: 34582aa575ae67f5618145371cef49bf
    Snort VRT rules file download failed.  Snort VRT rules will not be updated.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading file 'community-rules.tar.gz'...
    Done downloading rules file.
    Snort GPLv2 Community Rules file download failed.  Bad MD5 checksum.
    Downloaded Snort GPLv2 Community Rules file MD5: d41d8cd98f00b204e9800998ecf8427e
    Expected Snort GPLv2 Community Rules file MD5: 32d134e922390691c91a9a1ad8984d24
    Snort GPLv2 Community Rules file download failed.  Snort GPLv2 Community Rules will not be updated.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    There is a new set of Emerging Threats Open rules posted.
    Downloading file 'emerging.rules.tar.gz'...
    Done downloading rules file.
    Emerging Threats Open rules file download failed.  Bad MD5 checksum.
    Downloaded Emerging Threats Open rules file MD5: d41d8cd98f00b204e9800998ecf8427e
    Expected Emerging Threats Open rules file MD5: 4530f7b252c063c3521d06f9e2443574
    Emerging Threats Open rules file download failed.  Emerging Threats Open rules will not be updated.
    The Rules update has finished.  Time: 2017-01-04 15:48:34



  • @ketaj271969:

    Hello,

    I'm also struggling to get rules updated after REinstalling pfSense-pkg-snort-3.2.9.1_14.  I've tried adding and removing line 459 and "force update" per the solution given by Paint on 07/12/2016 with no success. I'm noticing the MD5 codes listed for both the downloaded and expected rules files.

    Any suggestions about other things I can try?

    Thanks!

    Starting rules update…  Time: 2017-01-04 15:45:04
    Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2983.tar.gz'...
    Done downloading rules file.
    Snort VRT rules file download failed.  Bad MD5 checksum.
    Downloaded Snort VRT rules file MD5: 6526bfd0ecb40f147434e9ebf4e6d760
    Expected Snort VRT rules file MD5: 34582aa575ae67f5618145371cef49bf
    Snort VRT rules file download failed.  Snort VRT rules will not be updated.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading file 'community-rules.tar.gz'...
    Done downloading rules file.
    Snort GPLv2 Community Rules file download failed.  Bad MD5 checksum.
    Downloaded Snort GPLv2 Community Rules file MD5: d41d8cd98f00b204e9800998ecf8427e
    Expected Snort GPLv2 Community Rules file MD5: 32d134e922390691c91a9a1ad8984d24
    Snort GPLv2 Community Rules file download failed.  Snort GPLv2 Community Rules will not be updated.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    There is a new set of Emerging Threats Open rules posted.
    Downloading file 'emerging.rules.tar.gz'...
    Done downloading rules file.
    Emerging Threats Open rules file download failed.  Bad MD5 checksum.
    Downloaded Emerging Threats Open rules file MD5: d41d8cd98f00b204e9800998ecf8427e
    Expected Emerging Threats Open rules file MD5: 4530f7b252c063c3521d06f9e2443574
    Emerging Threats Open rules file download failed.  Emerging Threats Open rules will not be updated.
    The Rules update has finished.  Time: 2017-01-04 15:48:34

    this looks to be an error on the snort side of things - the md5 for the packages (from Snort) don't match the md5 listed for the download. This happens from time to time and will get resolved at Snort's convenience.



  • Hi -

    I continue to get this "Bad MD5 Checksum" error on a daily basis.  I'm currently updated to the latest version of pfSense Base system - 2.3.2_1.  I believe that I've configured the Snort service properly (oinkmaster code.

    If you have any suggestions of what else I could look at, please let me know.


    Starting rules update…  Time: 2017-01-13 12:05:00
    Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2983.tar.gz'...
    Done downloading rules file.
    Snort VRT rules file download failed.  Bad MD5 checksum.
    Downloaded Snort VRT rules file MD5: 2ea2e701ecf386c5ec88d6b7977c98bc
    Expected Snort VRT rules file MD5: 3ef18f7d2d38d79739072e4ba57cf32b
    Snort VRT rules file download failed.  Snort VRT rules will not be updated.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading file 'community-rules.tar.gz'...
    Done downloading rules file.
    Snort GPLv2 Community Rules file download failed.  Bad MD5 checksum.
    Downloaded Snort GPLv2 Community Rules file MD5: d41d8cd98f00b204e9800998ecf8427e
    Expected Snort GPLv2 Community Rules file MD5: 5226c89b677da8a7ab63ca6fa01720fe
    Snort GPLv2 Community Rules file download failed.  Snort GPLv2 Community Rules will not be updated.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    There is a new set of Emerging Threats Open rules posted.
    Downloading file 'emerging.rules.tar.gz'...
    Done downloading rules file.
    Emerging Threats Open rules file download failed.  Bad MD5 checksum.
    Downloaded Emerging Threats Open rules file MD5: d41d8cd98f00b204e9800998ecf8427e
    Expected Emerging Threats Open rules file MD5: 6d1bebb91cbb9323443399b8d12be408
    Emerging Threats Open rules file download failed.  Emerging Threats Open rules will not be updated.
    The Rules update has finished.  Time: 2017-01-13 12:09:16


  • Banned

    People, which part of "this is NOT a pfSense issue" is difficult to get?



  • To be clear, I didn't say this was a pfSense issue. – I've seen the previous responses to my request,

    What I'm asking is if there's a different avenue of investigation I might be able to pursue to figure out what the problem might be.  Perhaps with snort.org?

    You may have noticed from my badge that I'm a newbie here.  I was given the impression that this was a helpful forum.  My misunderstanding.


  • Banned

    Yeah, to be clear this is absolutely wrong place to post. Noone here maintains the snort.org webservers so noone here can fix broken checksums they keep uploading over and over and over again. If you have a paid subscription, complain to the Snort guys, if you have none, then you get what you paid for and simply wait till someone fixes it.


Log in to reply