Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT rules update failing - already fixed, just future improvement?

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 534 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Ramosel
      last edited by

      So a week or so back I had the Snort OpenAppID Rules failing… seems these rules were coming from servers in edu.br and it turns out I had a pfBlockerNG/TLD nuance that BBCan177 helped me out with and now all was well.  Fortunately I'm running some DNSBL test files so the DNSBL trap was logged into the Snort Update log which was a big help as a starting point.

      Today they are failing again but it just appears the servers are unavailable... can't reach them from any connection.

      host -t A www.ifs.edu.br
      www.ifs.edu.br is an alias for thor.ifs.edu.br.
      thor.ifs.edu.br has address 200.133.48.21
      PING 200.133.48.21 (200.133.48.21): 56 data bytes
      ^C
      --- 200.133.48.21 ping statistics ---
      83 packets transmitted, 0 packets received, 100.0% packet loss

      No problem, just wait for them to return.

      I guess this would be directed at Bill...  but I was wondering if it would be possible for the Snort Update logs to show the actual site path to the files and not just the filenames when the update is being logged?  It would just make troubleshooting for others a bit easier in the future.

      Thanks in advance for listening.

      Rick

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Yes, it should be possible.  For that particular AppID feature, I was not the author of the code.  Another contributor from Brazil added that code and maintains the rules.  It is part of a University, I believe.  All that to say I have not examined that part of the code since the original pull request and I don't remember exactly how the URLs are handled.

        I will add it to my TODO list.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.