Snort Update rules not working



  • i just updated to the latest snort version

    Upgrading pfSense-pkg-snort…
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up-to-date.
    Updating pfSense repository catalogue...
    pfSense repository is up-to-date.
    All repositories are up-to-date.
    The following 1 package(s) will be affected (of 0 checked):

    Installed packages to be UPGRADED:
    pfSense-pkg-snort: 3.2.9.1_14 -> 3.2.9.2_15 [pfSense]

    Number of packages to be upgraded: 1

    134 KiB to be downloaded.
    Fetching pfSense-pkg-snort-3.2.9.2_15.txz: …....... done
    Checking integrity... done (0 conflicting)
    [1/1] Upgrading pfSense-pkg-snort from 3.2.9.1_14 to 3.2.9.2_15…
    [1/1] Extracting pfSense-pkg-snort-3.2.9.2_15: …....... done
    Removing snort components...
    Menu items... done.
    Services... done.
    Loading package instructions...
    Saving updated package information...
    overwrite!
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...Saved settings detected.
    Migrating settings to new configuration... done.
    Downloading Snort VRT rules md5 file... done.
    Checking Snort VRT rules md5 file... done.
    There is a new set of Snort VRT rules posted.
    Downloading snortrules-snapshot-2983.tar.gz... done.
    Downloading Snort OpenAppID detectors md5 file... done.
    Checking Snort OpenAppID detectors md5 file... done.
    There is a new set of Snort OpenAppID detectors posted.
    Downloading snort-openappid.tar.gz... done.
    Downloading Snort GPLv2 Community Rules md5 file... done.
    Checking Snort GPLv2 Community Rules md5 file... done.
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading community-rules.tar.gz... FAILED!
    Snort GPLv2 Community Rules file download failed... server returned error '429'.
    Snort GPLv2 Community Rules will not be updated.
    Downloading Emerging Threats Open rules md5 file... done.
    Checking Emerging Threats Open rules md5 file... done.
    There is a new set of Emerging Threats Open rules posted.
    Downloading emerging.rules.tar.gz... done.
    Installing Sourcefire VRT rules...Copying md5 signature to snort directory... done.
    Installing Snort OpenAppID detectors...Copying md5 signature to snort directory... done.
    Installing Emerging Threats Open rules...Copying md5 signature to snort directory... done.
    Updating rules configuration for: WAN ... done.
    Updating rules configuration for: LAN ... done.
    Cleaning up temp dirs and files... done.
    The Rules update has finished.
    Generating snort.conf configuration file from saved settings.
    Generating configuration for WAN...
    done.
    Generating configuration for LAN...
    done.
    Generating snort.sh script in /usr/local/etc/rc.d/... done.
    Finished rebuilding Snort configuration files.
    done.
    Executing custom_php_resync_config_command()...

    done.
    Menu items... done.
    Services... done.
    Writing configuration... done.
    Please visit Services - Snort - Interfaces tab first and select your desired rules. Afterwards visit the Updates tab to download your configured rulesets.Message from pfSense-pkg-snort-3.2.9.2_15:
    Please visit Services - Snort - Interfaces tab first to add an interface, then select your desired rules packages at the Services - Snort - Global tab. Afterwards visit the Updates tab to download your configured rulesets.

    Cleaning up cache... done.
    Success

    but i get a error on the vrt rules.
    I checked my subscription and its still good. i got the personal one.

    the auto update doesn't seem to work it fails very often. but i get a lot of old dates each time for last update.

    when i do a force update i see

    Snort VRT Rules                                Wednesday, 11-Jan-17 00:18:09 CET
    Snort GPLv2 Community Rules Wednesday, 11-Jan-17 00:18:09 CET
    Emerging Threats Open Rules Wednesday, 11-Jan-17 00:18:10 CET
    Snort OpenAppID Detectors Wednesday, 11-Jan-17 00:18:09 CET

    and works just fine.

    Starting rules update…  Time: 2017-01-11 00:09:17
    Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2983.tar.gz'...
    Done downloading rules file.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    Checking Snort OpenAppID detectors md5 file...
    There is a new set of Snort OpenAppID detectors posted.
    Downloading file 'snort-openappid.tar.gz'...
    Done downloading rules file.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading file 'community-rules.tar.gz'...
    Snort GPLv2 Community Rules file download failed.  Server returned error 429.
    The error text was:
    Snort GPLv2 Community Rules will not be updated.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    There is a new set of Emerging Threats Open rules posted.
    Downloading file 'emerging.rules.tar.gz'...
    Done downloading rules file.
    Extracting and installing Snort VRT rules...
    Using Snort VRT precompiled SO rules for FreeBSD-10-0 ...
    Installation of Snort VRT rules completed.
    Extracting and installing Snort OpenAppID detectors...
    Installation of Snort OpenAppID detectors completed.
    Extracting and installing Emerging Threats Open rules...
    Installation of Emerging Threats Open rules completed.
    Copying new config and map files...
    Updating rules configuration for: WAN ...
    Updating rules configuration for: LAN ...
    The Rules update has finished.  Time: 2017-01-11 00:11:50

    Done downloading rules file.
    Emerging Threats Open rules file download failed.  Bad MD5 checksum.
    Downloaded Emerging Threats Open rules file MD5:
    Expected Emerging Threats Open rules file MD5: 5ff09adf8229a73e68c310cd9f1b8389
    Emerging Threats Open rules file download failed.  Emerging Threats Open rules will not be updated.
    Copying new config and map files...
    Updating rules configuration for: WAN ...
    Updating rules configuration for: LAN ...
    Restarting Snort to activate the new set of rules...
    Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2017-01-11 00:12:46

    Starting rules update...  Time: 2017-01-11 00:16:15
    Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    Snort VRT rules are up to date.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    Checking Snort OpenAppID detectors md5 file...
    Snort OpenAppID detectors are up to date.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Snort GPLv2 Community Rules md5 download failed.
    Server returned error code 429.
    Server error message was:
    Snort GPLv2 Community Rules will not be updated.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    Emerging Threats Open rules are up to date.
    The Rules update has finished.  Time: 2017-01-11 00:16:16

    Starting rules update...  Time: 2017-01-11 00:16:24
    Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2983.tar.gz'...
    Done downloading rules file.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    Checking Snort OpenAppID detectors md5 file...
    There is a new set of Snort OpenAppID detectors posted.
    Downloading file 'snort-openappid.tar.gz'...
    Done downloading rules file.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading file 'community-rules.tar.gz'...
    Done downloading rules file.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    There is a new set of Emerging Threats Open rules posted.
    Downloading file 'emerging.rules.tar.gz'...
    Done downloading rules file.
    Extracting and installing Snort VRT rules...
    Using Snort VRT precompiled SO rules for FreeBSD-10-0 ...
    Installation of Snort VRT rules completed.
    Extracting and installing Snort OpenAppID detectors...
    Installation of Snort OpenAppID detectors completed.
    Extracting and installing Snort GPLv2 Community Rules...
    Installation of Snort GPLv2 Community Rules completed.
    Extracting and installing Emerging Threats Open rules...
    Installation of Emerging Threats Open rules completed.
    Copying new config and map files...
    Updating rules configuration for: WAN ...
    Updating rules configuration for: LAN ...
    Restarting Snort to activate the new set of rules...
    Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2017-01-11 00:18:59

    the forced update that started at 00:16 just seems to work fine and doesn't give a error.


  • Banned

    HTTP 429 - Too many requests.

    Try again in a couple of hours at least, and stop hammering the server, that certainly will NOT help.



  • @doktornotor:

    HTTP 429 - Too many requests.

    Try again in a couple of hours at least, and stop hammering the server, that certainly will NOT help.

    im not hammering. its setup for once per 24 hours.

    after the update of snort and it failed i did a force update and that worked. That one should be blocked also if it was to many requests from my IP


  • Banned

    This is a server "issue"/rate limiting and has nothing to do with the package. Simply WAIT.



  • I noticed long ago on my personal system that letting the rules auto-update around midnight US Eastern Time seemed to be a bad idea as I would get frequent failures.  I moved my update time to 2:00 AM US Eastern Time and have not had a problem since.

    I have absolutely no data to back this up, but my first suspicion is maybe some kind of server backup occurs around midnight or else some other maintanence of some sort is at play.  All I know for sure is that once I changed my auto-update time to a couple of hours later, it started working dependably.  The proof that it's something on the server side is your manual updates during the day are successful.

    Bill



  • ^^ that spawned a possible good idea - for the pfsense dev's, setting the minute number randomly, on first install, would help for the future.  You should expect to see a higher server load as more people use pfsense.


Log in to reply