Snort failing to update rules - Firewall blocking ??



  • I have troubles getting snort to update its rules.. When I perform a force update, the popup saying

    "Updating rule sets may take a while … please wait for the process to complete."

    shows up and stays there for about a minute then goes away and the Result is "Failed".

    System logs are showing:

    Sep 18 20:01:44 	php-cgi 		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
    Sep 18 20:01:44 	php-cgi 		snort_check_for_rule_updates.php: [Snort] Rules download error: Connection timed out after 15002 milliseconds
    Sep 18 20:01:34 	php-cgi 		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
    Sep 18 20:01:34 	php-cgi 		snort_check_for_rule_updates.php: [Snort] Rules download error: Connection timed out after 15821 milliseconds
    Sep 18 20:01:18 	php-cgi 		snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2983.tar.gz...
    Sep 18 20:01:14 	php-cgi 		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
    Sep 18 20:01:14 	php-cgi 		snort_check_for_rule_updates.php: [Snort] Rules download error: Connection timed out after 15029 milliseconds 
    

    Obviously something is blocking access to the update servers.  Its not easy for a noob like me to find out if FW is blocking so I deactivated pfblockerNG completely, and tried to update snort rules again.  It failed once more.

    If I knew which IP it is trying to contact, perhaps I could check manually with Firefox if I can reach the destination at all, or even if its the FW blocking (by doing a filter search)…

    How do I get a more verbose output than simply "Connection timed out"??



  • Would it be possible to add more verbosity to the snort logs so its possible to see which servers its trying to contact to download the update files????

    Snort VRT rules file download failed.  Server returned error 0.
    	The error text was: Connection timed out after 15015 milliseconds
    	Snort VRT rules will not be updated.
    	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    	Updating rules configuration for: WAN ...
    	Checking Snort OpenAppID detectors md5 file...
    	There is a new set of Snort OpenAppID detectors posted.
    	Downloading file 'snort-openappid.tar.gz'...
    	Updating rules configuration for: LAN ...
    	Updating rules configuration for: SEG1 ...
    	Restarting Snort to activate the new set of rules...
    	Snort VRT rules file download failed.  Server returned error 0.
    	The error text was: Connection timed out after 15000 milliseconds
    	Snort VRT rules will not be updated.
    	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2016-09-18 19:40:20
    

    Without the actual server address indicated, this is useless….



  • I had to whitelist these with pfblockerNG to get mine to update.
    s3-us-west-1.amazonaws.com
    s3-us-west-2.amazonaws.com
    s3.amazonaws.com

    I believe it was because of the malware patrol list I had downloaded.



  • @Impatient:

    I had to whitelist these with pfblockerNG to get mine to update.
    s3-us-west-1.amazonaws.com
    s3-us-west-2.amazonaws.com
    s3.amazonaws.com

    I believe it was because of the malware patrol list I had downloaded.

    pfBlockerNG has some lists that are prone to block Snort downloads.  The Snort VRT hosts their rule updates on Amazon Web Services.  That is a vast IP address pool.  The update process in the GUI simply connects to this URL: https://www.snort.org/rules/.

    That URL then has the filename appended and then your Oinkcode as a query string parameter.

    Bill



  • Hey Bill,

    First thing first, the URL "https://www.snort.org/rules/" brings me to a Page not found (404) page on Snort's website… Not sure if this is intended or not..

    Then, I tried whitelisting the following URL's as per Impatient's suggestion:

    s3-us-west-1.amazonaws.com
    s3-us-west-2.amazonaws.com
    s3.amazonaws.com

    But it did not help.  I am suspecting its using a variant of amazon's server URL's such as something like

    sX-us-XXXX-X.amazonaws.com

    where "X" are variables.  Typical of large infrastructures...  If its the case, then I would need to whitelist a range of URL's or IP's (easier in Aliases in pfs).

    Would it be possible to perform a rule update via CLI to have more verbose?  I'd like to see a message such as

    "trying to contact blablabla.com for rule update.....

    cannot connect to blablabla.com, time out"



  • How do we fix this?



  • Anyways…......

    I add "amazonaws.com" to my allowed aliases about 3 weeks ago, for weeks, its a no go, I have to shutdown pfblockerNG to update snort rules.  Then all of a sudden, I see that snort rules are being updated lately.

    Im not sure what to think about that but quite honestly, who cares it works now....



  • I keep getting this error

    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2983.tar.gz'…
    Snort VRT rules file download failed.  Server returned error 0.
    The error text was: Connection timed out after 10000 milliseconds
    Snort VRT rules will not be updated.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading file 'community-rules.tar.gz'...
    Snort GPLv2 Community Rules file download failed.  Server returned error 0.
    The error text was: Connection timed out after 10002 milliseconds
    Snort GPLv2 Community Rules will not be updated.

    pfblocker and suricata are off

    EDIT: found the source of problem, i had´t turned off DNSBL
    Cinda stupid but maby it can help someone else

    any ideas?


  • Moderator

    With the new whitelisting changes in DNSBL, you can add the following to the Whitelist:

    .amazonaws.com
    

    and run a "Force Reload - DNSBL" which will remove any Domain/Sub-domains of Amazonaws being listed.



  • thanks BBcan177

    After adding```
    .amazonaws.com