Snort not updating?
-
Past week I've been trying to get Snort to download the updates from snort.org and it keeps getting stuck at:
Downloading current snort rules… And I left it alone for hours to see if it's just a slow download.
To be sure my configs or setup didn't get screwed up I went ahead and downloaded the latest 1.2.1 snapshot ISO. Did a complete fresh install with default settings and still does it.
Only thing that's changed recently via hardware is I added a Wi-Fi card but doubt that would have anything to do with it since I set snort to monitor the WAN port only.
Any ideas?
Thanks,
Darkk -
Ok, I guess the updates are working again. Odd.
Darkk
-
Past week I've been trying to get Snort to download the updates from snort.org and it keeps getting stuck at:
Downloading current snort rules… And I left it alone for hours to see if it's just a slow download.
To be sure my configs or setup didn't get screwed up I went ahead and downloaded the latest 1.2.1 snapshot ISO. Did a complete fresh install with default settings and still does it.
Only thing that's changed recently via hardware is I added a Wi-Fi card but doubt that would have anything to do with it since I set snort to monitor the WAN port only.
Any ideas?
Thanks,
DarkkHi Darkk,
I would just like to share my experience with you. I get the downloading stuck problem when using google chrome. Haven't used IE 7 yet but it's ok when I use firefox 3. I do encounter problems with the updating now, basically its the permission problem other people are experiencing. This is for forum though, I will search for answers there.
-
Here exactly the same. Snort is not updating the rules. If i click on Rules Update it seems the Browser will downloading the rules, but nothing happens. Still the animation is running, hours. I have tried Mozilla 3.04 and IE7.0.
Please help !! :'( -
Well, to fix my snort issue I modified the XML backup file to exclude the SNORT portion and then did a fresh re-install of pfsense 1.2.1 RC1. Then I restore from back-up. Since I deleted the snort stuff the restore section put all of my settings back except snort.
I am not sure why but my gut feeling some setting or feature of snort is causing it to fuber so rather try to figure out why I just do a complete re-install of pfsenese and re-do the snort stuff.
Seems to fix the issues I was having.
Now my Snort is working perfectly.
Darkk
-
I have just installed updated to 1.2.1 final. I've added snort and added the oinkid. When I try to move to other snort menus it'll force showing the "Downloading current snort rules" for many hours it'll remain there. If I try to get to other part of the Pfsense webgui I can't. The web gui seemed to be hung at the snort updating page.
The error I can find at /var/log is in lighttpd.error.log showing multiple of the following in minutes appart:
2008-12-29 13:13:18: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15125 bytes. We waited 360 seconds. If this a problem increase server.max-write-idle
Now my webgui is still hanging, the browser showing "Waiting for 10.0.0.1…." when I access it.
-
I have this problem too….:(
Anybody solve this problem? -
Been reading a bit here: http://redmine.lighttpd.net/wiki/lighttpd/server.max-write-idleDetails
Seems lighttpd timed out after 360 seconds before the download of snort rules was completed.I'm not sure if it's an issue with server.max-write-idle or snort_download_rules.php.
Any ideas? -
I was looking at this a bit earlier; timeout issue sounds reasonable. I was watching the download complete around 58 megs in the /tmp/snortRulesxxxx temp folder and it completes okay but then the browser does nothing.
Possible php timeout as well as / instead of? Is the server.max-write-idle something that can be adjusted easily? I haven't looked that up yet. Good find though, tekkon.
-
That seemed to work!
Edit /etc/inc/system.inc
Find the line reading:
server.dir-listing = "disable"
and put underneath it a new line reading:
server.max-write-idle = 720I restarted to get this to take effect (I'm sure there's a better way; couldn't figure out how to restart lighttpd) and verified my changes showed in /var/etc/lighty-webConfigurator.conf - and then I tried the download again. Worked fine. First time it's worked in months.
Keep in mind this is just what I tried to get it to work - I can't say if this edit is a Really Bad Thing or not.
-
I tried altering 'server.max-write-idle'. Didn't work for me.
2008-12-31 21:20:18: (log.c.97) server started 2008-12-31 21:36:01: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15678 bytes. We waited 720 seconds. If this a problem increase server.max-write-idle 2008-12-31 21:39:55: (log.c.97) server started 2008-12-31 21:42:24: (network_openssl.c.221) SSL (error): 5 0 22 Unknown error: 0 2008-12-31 21:42:24: (connections.c.606) connection closed: write failed on fd 16 2008-12-31 22:32:08: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2008-12-31 22:32:08: (connections.c.606) connection closed: write failed on fd 11 2008-12-31 22:32:09: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2008-12-31 22:32:09: (connections.c.606) connection closed: write failed on fd 15 2008-12-31 22:40:56: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15678 bytes. We waited 3600 seconds. If this a problem increase server.max-write-idle 2008-12-31 22:45:20: (connections.c.132) (warning) close: 19 Socket is not connected 2008-12-31 23:03:50: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15678 bytes. We waited 3600 seconds. If this a problem increase server.max-write-idle
I try download the update with firefox. The update is over 50Mb. I'll try "server.max-write-idle = 14400" next to see if I'll can complete the update this time.
-
You can watch in the /tmp folder after your start your download; there is a snortRulesxxxx named temp folder and you can watch the download complete in there. That was you can get a time estimate of what your tmieout value should be. The download seemed to complete in 8 minutes from my location so giving it a value of 12 minutes seemed the right thing to do.
-
Thanks for the tip adrianhensler.
Finally gotten snort to update after more than 12 hours with multiple md5 checksum failures.The webConfigurator can be restarted from the pfSense console setup (cli main menu).
Still some problems with snort. Whenever I open the snort blocked list (https://10.0.0.138/snort_blocked.php) the webgui would hang.
This is /var/lor/lighttpd.error.log while whe webgui hang.
2008-12-31 23:39:21: (log.c.97) server started 2009-01-01 01:10:15: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-01 01:10:15: (connections.c.606) connection closed: write failed on fd 11 2009-01-01 01:23:47: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-01 01:23:47: (connections.c.606) connection closed: write failed on fd 13 2009-01-01 11:03:15: (connections.c.132) (warning) close: 18 Connection reset by peer 2009-01-01 16:10:12: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-01 16:10:12: (connections.c.606) connection closed: write failed on fd 11 2009-01-01 17:13:19: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-01 17:13:19: (connections.c.606) connection closed: write failed on fd 13 2009-01-01 17:17:42: (log.c.97) server started 2009-01-01 19:10:13: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-01 19:10:13: (connections.c.606) connection closed: write failed on fd 11 2009-01-01 22:51:56: (connections.c.132) (warning) close: 12 Socket is not connected 2009-01-02 01:13:58: (mod_fastcgi.c.2618) FastCGI-stderr: XML error at line 1, check URL 2009-01-02 02:37:06: (connections.c.132) (warning) close: 12 Socket is not connected 2009-01-03 00:21:58: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:21:58: (connections.c.606) connection closed: write failed on fd 11 2009-01-03 00:22:00: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:22:00: (connections.c.606) connection closed: write failed on fd 19 2009-01-03 00:22:00: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:22:00: (connections.c.606) connection closed: write failed on fd 27 2009-01-03 00:22:03: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:22:03: (connections.c.606) connection closed: write failed on fd 35 2009-01-03 00:36:25: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:36:25: (connections.c.606) connection closed: write failed on fd 14 2009-01-03 00:36:26: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:36:26: (connections.c.606) connection closed: write failed on fd 22 2009-01-03 00:36:26: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:36:26: (connections.c.606) connection closed: write failed on fd 29 2009-01-03 00:36:42: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:36:42: (connections.c.606) connection closed: write failed on fd 16 2009-01-03 00:36:44: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:36:44: (connections.c.606) connection closed: write failed on fd 21 2009-01-03 00:36:44: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:36:44: (connections.c.606) connection closed: write failed on fd 31 2009-01-03 00:38:53: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:38:53: (connections.c.606) connection closed: write failed on fd 13 2009-01-03 00:38:54: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:38:54: (connections.c.606) connection closed: write failed on fd 25 2009-01-03 00:38:54: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted 2009-01-03 00:38:54: (connections.c.606) connection closed: write failed on fd 33 2009-01-03 12:33:55: (connections.c.262) SSL: -1 5 54 Connection reset by peer
-
Snort updating is not working for me either.
I'm on a t1 with 6 voice streams and 1 128k Data stream so the internet is rather slow. with the default settings, i get the timeout after 360 seconds and it's probably due to the file is too large so adding the server.max-write-idle results in the Web server not responding to any requests, meaning, when I add that line and restart the webconfigurator or even reboot the firewall, I go for the pfSense webapp and it sits there for 30 sec and times out. Putting "server.max-write-idle = "360" results in the same. Take the line completely out resolves the web server not coming up issue but i'm not able to download snort rules. what gives?
** UPDATE **
What I was able to do was download the CURRENT snapshot of the ruleset and I copied it to /usr/local/etc/snort and untarred it there. Seems like it's working now but I had to do it manually. Having it update from the pfsense webapp on my slow connection was taking way too long so I guess manual is the way to go for this setup.
-
i have the same trouble…
uninstalling snort
hiks...hiks... :'(
-
Still some problems with snort. Whenever I open the snort blocked list (https://10.0.0.138/snort_blocked.php) the webgui would hang.
I see the same issues. Also noticed that while it gets stuck… a PHP process goes up to 100% CPU load.
I tried using the blocked page on HTTP instead of HTTPS, as the logs seem to indicate the the issue is with OpenSSL, still the same issue.
Can anyone tell me where the snort_blocked.php file is located? I kinda want to take a look at it...
-
# find / -name snort_blocked.php /usr/local/www/snort_blocked.php
:)
-
cool thanks :P
-
Still some problems with snort. Whenever I open the snort blocked list (https://10.0.0.138/snort_blocked.php) the webgui would hang.
I see the same issues. Also noticed that while it gets stuck… a PHP process goes up to 100% CPU load.
I tried using the blocked page on HTTP instead of HTTPS, as the logs seem to indicate the the issue is with OpenSSL, still the same issue.
Can anyone tell me where the snort_blocked.php file is located? I kinda want to take a look at it...
At first I thought maybe I have an older hardware like PIII with 512MB of ram but seeing this glad to know I am not the only one experiencing this.
-
I'd like to state that I am having the same problem. The furthest I get is "Downloading current snort rules….." and nothing happens after that. It shows the link at which it is downloading and nothing.
If anyone has any ideas I have 2 routers that are doing the exact same thing that we can test on. Feel free to contact me via ëmal visseroth a t g mail d 0 t c0m.