[SOLVED] Snort Updates Fail Bad Checksum



  • Using PFSense NanoBSD 2.3.4-Release (i386)

    Setting up Snort and keep getting failed updates. Initially I was getting a 505 error for invalid http or something like that, let it sit for a while and now I'm getting showing failed updates due to bad MD5 checksums. The Log message is below. I've uninstalled and re-installed the package, regenerated the snort oinkcode, verified no preceding or trailing spaces in the code. I am using PFBlocker and disabled that to try the updates as I've read that pfblocker sometimes blocks updates, that also did not help. I read something about manually downloading the rules through the command line, but I'm not that good with the command line, and really didn't find anything reliable on how to do that. I'm at a loss of ideas.

    Starting rules update…  Time: 2017-05-19 16:33:28
    Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2983.tar.gz'...
    Done downloading rules file.
    Snort VRT rules file download failed.  Bad MD5 checksum.
    Downloaded Snort VRT rules file MD5: 7805022762dedb592ea2d7e7f9179052
    Expected Snort VRT rules file MD5: 97296a1719c72cd42f5907439e23c709
    Snort VRT rules file download failed.  Snort VRT rules will not be updated.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    Checking Snort OpenAppID detectors md5 file...
    There is a new set of Snort OpenAppID detectors posted.
    Downloading file 'snort-openappid.tar.gz'...
    Done downloading rules file.
    Snort OpenAppID detectors file download failed.  Bad MD5 checksum.
    Downloaded Snort OpenAppID detectors file MD5: d41d8cd98f00b204e9800998ecf8427e
    Expected Snort OpenAppID detectors file MD5: 501bb173f827a55d5a576816e1243958
    Snort OpenAppID detectors file download failed.  Snort OpenAppID detectors will not be updated.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading file 'community-rules.tar.gz'...
    Done downloading rules file.
    Snort GPLv2 Community Rules file download failed.  Bad MD5 checksum.
    Downloaded Snort GPLv2 Community Rules file MD5: 861d890b47ce9a542e08f9e434a28b77
    Expected Snort GPLv2 Community Rules file MD5: c3aeed15c958358c3d7fdbc039f3d421
    Snort GPLv2 Community Rules file download failed.  Snort GPLv2 Community Rules will not be updated.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    There is a new set of Emerging Threats Open rules posted.
    Downloading file 'emerging.rules.tar.gz'...
    Done downloading rules file.
    Emerging Threats Open rules file download failed.  Bad MD5 checksum.
    Downloaded Emerging Threats Open rules file MD5: d41d8cd98f00b204e9800998ecf8427e
    Expected Emerging Threats Open rules file MD5: 7ba16957edfce56c00a22ca67b2da6a5
    Emerging Threats Open rules file download failed.  Emerging Threats Open rules will not be updated.
    The Rules update has finished.  Time: 2017-05-19 16:38:48



  • Snort on NanoBSD is a bad combination.  In fact NanoBSD and about any package is a bad combination due to potential disk space issues.  There is high probability you lack enough space on your RAM disk volumes to download and expand all those rules files, hence the MD5 checksum error.  Check your system log carefully for any out-of-space messages for the RAM disk volumes.  To be safe, you need about 256 MB free on /tmp and /var for the rules download to succceed.

    Snort and Suricata are both big users of disk space for logs and other tasks (like downloading rules updates).  Combining either of those packages with pfBlockerNG is adding more fuel to the fire.  The IP lists downloaded and needed by pfBlockerNG take up disk space as well.  A regular full install on an SSD or spinning media normally has plenty of space.  NanoBSD many times does not due to the physical contraints on the RAM disk partition sizes.

    If you have enough RAM, try expanding your RAM disk partitions so you meet the criteria I posted above.  Even better, ditch the NanoBSD and go to an SSD and full install.

    Bill



  • Ok Thanks,

    Correct you are! the /tmp is my culprit, although it looks like /var is getting close as well. I'm only using 16-40 % of the ram installed. How does one go about increasing the partition sizes? Never been that deep into PFsense, and I imagine it's done through the command line.



  • That did the Trick. Thanks for the help! All rules updated just fine.



  • @Ghostdragon97:

    That did the Trick. Thanks for the help! All rules updated just fine.

    Glad you got it going.  The /tmp directory is where the tar.gz files from the rules update are downloaded and then unzipped.  From there they get copied to /usr/local/etc/snort/rules.  You need enough free space on /tmp to hold the tar.gz rules package and then the unzipped contents as well.  I included /var because that's where log and alerts files go.  That volume can fill up on you as well.

    Bill