SNORT rules update failing - already fixed, just future improvement?



  • So a week or so back I had the Snort OpenAppID Rules failing… seems these rules were coming from servers in edu.br and it turns out I had a pfBlockerNG/TLD nuance that BBCan177 helped me out with and now all was well.  Fortunately I'm running some DNSBL test files so the DNSBL trap was logged into the Snort Update log which was a big help as a starting point.

    Today they are failing again but it just appears the servers are unavailable... can't reach them from any connection.

    host -t A www.ifs.edu.br
    www.ifs.edu.br is an alias for thor.ifs.edu.br.
    thor.ifs.edu.br has address 200.133.48.21
    PING 200.133.48.21 (200.133.48.21): 56 data bytes
    ^C
    --- 200.133.48.21 ping statistics ---
    83 packets transmitted, 0 packets received, 100.0% packet loss

    No problem, just wait for them to return.

    I guess this would be directed at Bill...  but I was wondering if it would be possible for the Snort Update logs to show the actual site path to the files and not just the filenames when the update is being logged?  It would just make troubleshooting for others a bit easier in the future.

    Thanks in advance for listening.

    Rick



  • Yes, it should be possible.  For that particular AppID feature, I was not the author of the code.  Another contributor from Brazil added that code and maintains the rules.  It is part of a University, I believe.  All that to say I have not examined that part of the code since the original pull request and I don't remember exactly how the URLs are handled.

    I will add it to my TODO list.

    Bill


Log in to reply