Snort updates are failing again



  • I have noticed that Snort rules updates are failing again.  I have tried to remove and reinstall, but it is failing the md5 check even on a clean install at the install stage.  I also noticed that a new version of Snort has been released from the Snort website.  Is there a fix being sorted for this?

    Let me finish by thanking the guys doing this work.  I wish I had the skill to contribute.  It is much appreciated.


  • Banned

    This is not a package bug. Either a temporary server problem, or you are using rules snapshot version that's no longer available. Only these are available ATM:

    
    snortrules-snapshot-2990.tar.gz
    snortrules-snapshot-2983.tar.gz
    snortrules-snapshot-2976.tar.gz
    
    


  • @doktornotor:

    This is not a package bug. Either a temporary server problem, or you are using rules snapshot version that's no longer available. Only these are available ATM:

    
    snortrules-snapshot-2990.tar.gz
    snortrules-snapshot-2983.tar.gz
    snortrules-snapshot-2976.tar.gz
    
    

    OK, thanks … but I am not too sure exactly what or why this is occuring.  The problem still persists, so I do not think it is a server issue.  How do I modify the the snapshot it tries to get?

    Thank you for your patience.



  • @chc-pr:

    @doktornotor:

    This is not a package bug. Either a temporary server problem, or you are using rules snapshot version that's no longer available. Only these are available ATM:

    
    snortrules-snapshot-2990.tar.gz
    snortrules-snapshot-2983.tar.gz
    snortrules-snapshot-2976.tar.gz
    
    

    OK, thanks … but I am not too sure exactly what or why this is occuring.  The problem still persists, so I do not think it is a server issue.  How do I modify the the snapshot it tries to get?

    Thank you for your patience.

    You can't modify the rules snapshot without changing the Snort binary to the same version.  The Snort binary checks the version of the rules package against the version of the binary to be sure they match.  If they don't, then it errors out and dies.  So if you have the Snort 2.9.8.3 binary, you can't run any VRT rules snapshot except one versioned as 2.9.8.3.  And in case you're wondering, it's more than just the filename it looks at.  The rules package is internally versioned.

    My personal home network firewall just updated its rules successfully from Snort VRT at 1:30 PM US Eastern Time (about 8 minutes ago from when I'm typing this reply).  So whatever is happening is on your end or between you and the Amazon Web Services data center where the Snort VRT rules come from.  You don't mention it in your post, but several folks running pfBlockerNG with certain IP lists have reported pfBlockerNG blocking some of he AWS IP addresses used for the Snort VRT update.

    The Snort package will get updated shortly after the FreeBSD port maintainer updates the package there.  When FreeBSD ports updates, I bring over the changes, merge the custom blocking module code and then submit a pull request to the pfSense team to incorporate the new version in pfSense package repository.

    Bill



  • I had a problem with the Snort 3.2.8.2_16 release yesterday.  After two package deletions and re-installations, Snort (and Barnyard) did start but 3 of the rules sets would not download even with a force.

    Snort VRT Rules
    Snort GPLv2 Community Rules
    Snort OpenAppID Detectors

    BBCan177 pm'd me about this thread so I disabled DNSBL and still no joy.  At the time the logs were showing error ""

    let the system set and when I manually ran the update this morning they are still failing and the logs are now showing error 0 and the self signed cert error.

    How best to proceed correcting this error?

    Starting rules update…  Time: 2017-02-08 05:49:40
    Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2983.tar.gz'...
    Snort VRT rules file download failed.  Server returned error 0.
    The error text was: SSL certificate problem: self signed certificate
    Snort VRT rules will not be updated.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5…
    Checking Snort OpenAppID detectors md5 file...
    There is a new set of Snort OpenAppID detectors posted.
    Downloading file 'snort-openappid.tar.gz'...
    Snort OpenAppID detectors file download failed.  Server returned error 0.
    The error text was: SSL certificate problem: self signed certificate
    Snort OpenAppID detectors will not be updated.
    Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5…
    Checking Snort OpenAppID RULES detectors md5 file...
    There is a new set of Snort OpenAppID RULES detectors posted.
    Downloading file 'appid_rules.tar.gz'...
    Done downloading rules file.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading file 'community-rules.tar.gz'...
    Snort GPLv2 Community Rules file download failed.  Server returned error 0.
    The error text was: SSL certificate problem: self signed certificate
    Snort GPLv2 Community Rules will not be updated.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5…
    Checking Emerging Threats Open rules md5 file...
    Emerging Threats Open rules are up to date.
    Extracting and installing Snort OpenAppID detectors...
    Installation of Snort OpenAppID detectors completed.
    The Rules update has finished.  Time: 2017-02-08 05:52:49



  • Had trouble today too but Snort if failing to start after the update.

    FATAL ERROR: /usr/local/etc/snort/snort_6018_em1/rules/snort.rules(385) Unknown ClassType: sdf
    

    And the php-fpm error that follows:

    /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 6018 -D -q --suppress-config-log -l /var/log/snort/snort_em16018 --pid-path /var/run --nolock-pidfile -G 6018 -c /usr/local/etc/snort/snort_6018_em1/snort.conf -i em1' returned exit code '1', the output was ''
    


  • @Jailer:

    Had trouble today too but Snort if failing to start after the update.

    FATAL ERROR: /usr/local/etc/snort/snort_6018_em1/rules/snort.rules(385) Unknown ClassType: sdf
    

    And the php-fpm error that follows:

    /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 6018 -D -q --suppress-config-log -l /var/log/snort/snort_em16018 --pid-path /var/run --nolock-pidfile -G 6018 -c /usr/local/etc/snort/snort_6018_em1/snort.conf -i em1' returned exit code '1', the output was ''
    

    Well after the 3rd delete and install it's working now.  :o


  • Banned

    @Jalier: Your issue with a broken rule is clearly completely OT on this thread. Snort dies on hitting a bad rule. As retarded as that. Complain upstream. I seriously cannot understand how someone can design a security technology in a way that it bombs out and leaves people completely unprotected on hitting a single broken rules out of tens of thousands of them.



  • Although I am not seeing any specific alerts under pfBlockerNG/DNSBL, it now appears pfBlockerNG/DNSBL is causing my problem with 3 of my 5 Snort rule sets not updating.  I have 2 Amazon ASNs configured in my pass lists but I'm missing something.  Does anyone have a list of all the servers Snort looks to for updating the rules sets?

    Thanks in advance,
    Rick


  • Banned

    You should exclude things like

    
    .akamai.net
    .akamaiedge.net
    .amazonaws.com
    
    

    from DNSBL using Custom Domain Whitelist. (The last one is for Snort, IIRC, however having huge CDNs blackholed is absolutely undesired, whatever the use case.)