Update 3.2.9.3 query



  • I have read the release notes and a few other threads, but I just want to clarify one thing.  I have tried to follow the guidance on full deletion and reinstallation amongst other things, but I keep having every md5 check fail.  Is this related to the emerging threats fail?  I do not understand why the md5 checksum should fail if its a rule failure.  My snort is also not starting - but I assume that IS related to the rule issue.

    Be grateful for any clarification.  Thank you



  • Can you provide some clarification about "MD5 check fail"?  Not sure what you mean exactly.  If you are getting MD5 check failures during attempted rules package updates, then it is very likely you have a disk problem.  Number one issue is running Snort (or Suricata) on a NanoBSD based install.  Those use limited size RAM disks, and there is rarely enough space on the /tmp partition/volume to hold the downloaded rules gzip file archive and then also the unzipped contents.

    If you have a pfSense version based on NanoBSD, then look in your system log for out-of-space messages on the /tmp volume.  You need at least 256MB free there to be safe.

    Bill



  • installation is amd64 full-install, not Nano

    Here is a cut and paste of the Snort installation log.  The MD5 hash fails are self evident …

    Checking integrity... done (0 conflicting)
    The following 11 package(s) will be affected (of 0 checked):

    New packages to be INSTALLED:
    pfSense-pkg-snort: 3.2.9.3 [pfSense]
    snort: 2.9.9.0_1 [pfSense]
    barnyard2: 1.13_1 [pfSense]
    broccoli: 1.97,1 [pfSense]
    GeoIP: 1.6.10 [pfSense]
    libpcap: 1.8.1 [pfSense]
    mysql56-client: 5.6.35_3 [pfSense]
    liblz4: 1.7.5,1 [pfSense]
    libdnet: 1.12_1 [pfSense]
    daq: 2.0.6_1 [pfSense]
    luajit: 2.0.4_1 [pfSense]

    Number of packages to be installed: 11

    The process will require 50 MiB more space.
    [1/11] Installing GeoIP-1.6.10…
    [1/11] Extracting GeoIP-1.6.10: …....... done
    [2/11] Installing liblz4-1.7.5,1…
    [2/11] Extracting liblz4-1.7.5,1: …....... done
    [3/11] Installing broccoli-1.97,1…
    [3/11] Extracting broccoli-1.97,1: …....... done
    [4/11] Installing libpcap-1.8.1…
    [4/11] Extracting libpcap-1.8.1: …....... done
    [5/11] Installing mysql56-client-5.6.35_3…
    [5/11] Extracting mysql56-client-5.6.35_3: …....... done
    [6/11] Installing libdnet-1.12_1…
    [6/11] Extracting libdnet-1.12_1: …....... done
    [7/11] Installing barnyard2-1.13_1…
    [7/11] Extracting barnyard2-1.13_1: …... done
    [8/11] Installing daq-2.0.6_1…
    [8/11] Extracting daq-2.0.6_1: …....... done
    [9/11] Installing luajit-2.0.4_1…
    [9/11] Extracting luajit-2.0.4_1: …....... done
    [10/11] Installing snort-2.9.9.0_1…
    [10/11] Extracting snort-2.9.9.0_1: …....... done
    [11/11] Installing pfSense-pkg-snort-3.2.9.3…
    [11/11] Extracting pfSense-pkg-snort-3.2.9.3: …....... done
    Saving updated package information...
    done.
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...Saved settings detected.
    Migrating settings to new configuration... done.
    Downloading Snort VRT rules md5 file... done.
    Checking Snort VRT rules md5 file... done.
    There is a new set of Snort VRT rules posted.
    Downloading snortrules-snapshot-2990.tar.gz... done.
    Snort VRT rules file MD5 checksum failed...
    Downloading Snort GPLv2 Community Rules md5 file... done.
    Checking Snort GPLv2 Community Rules md5 file... done.
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading community-rules.tar.gz... done.
    Snort GPLv2 Community Rules file MD5 checksum failed...
    Downloading Emerging Threats Open rules md5 file... done.
    Checking Emerging Threats Open rules md5 file... done.
    There is a new set of Emerging Threats Open rules posted.
    Downloading emerging.rules.tar.gz... done.
    Emerging Threats Open rules file MD5 checksum failed...
    Cleaning up temp dirs and files... done.
    The Rules update has finished.
    Generating snort.conf configuration file from saved settings.
    Generating configuration for WAN_1...
    done.
    Generating configuration for WAN_2...
    done.
    Generating snort.sh script in /usr/local/etc/rc.d/... done.
    Finished rebuilding Snort configuration files.
    done.
    Executing custom_php_resync_config_command()...

    done.
    Menu items... done.
    Services... done.



  • @chc-pr:

    installation is amd64 full-install, not Nano

    Here is a cut and paste of the Snort installation log.  The MD5 hash fails are self evident …

    Checking integrity... done (0 conflicting)
    The following 11 package(s) will be affected (of 0 checked):

    New packages to be INSTALLED:
    pfSense-pkg-snort: 3.2.9.3 [pfSense]
    snort: 2.9.9.0_1 [pfSense]
    barnyard2: 1.13_1 [pfSense]
    broccoli: 1.97,1 [pfSense]
    GeoIP: 1.6.10 [pfSense]
    libpcap: 1.8.1 [pfSense]
    mysql56-client: 5.6.35_3 [pfSense]
    liblz4: 1.7.5,1 [pfSense]
    libdnet: 1.12_1 [pfSense]
    daq: 2.0.6_1 [pfSense]
    luajit: 2.0.4_1 [pfSense]

    Number of packages to be installed: 11

    The process will require 50 MiB more space.
    [1/11] Installing GeoIP-1.6.10…
    [1/11] Extracting GeoIP-1.6.10: …....... done
    [2/11] Installing liblz4-1.7.5,1…
    [2/11] Extracting liblz4-1.7.5,1: …....... done
    [3/11] Installing broccoli-1.97,1…
    [3/11] Extracting broccoli-1.97,1: …....... done
    [4/11] Installing libpcap-1.8.1…
    [4/11] Extracting libpcap-1.8.1: …....... done
    [5/11] Installing mysql56-client-5.6.35_3…
    [5/11] Extracting mysql56-client-5.6.35_3: …....... done
    [6/11] Installing libdnet-1.12_1…
    [6/11] Extracting libdnet-1.12_1: …....... done
    [7/11] Installing barnyard2-1.13_1…
    [7/11] Extracting barnyard2-1.13_1: …... done
    [8/11] Installing daq-2.0.6_1…
    [8/11] Extracting daq-2.0.6_1: …....... done
    [9/11] Installing luajit-2.0.4_1…
    [9/11] Extracting luajit-2.0.4_1: …....... done
    [10/11] Installing snort-2.9.9.0_1…
    [10/11] Extracting snort-2.9.9.0_1: …....... done
    [11/11] Installing pfSense-pkg-snort-3.2.9.3…
    [11/11] Extracting pfSense-pkg-snort-3.2.9.3: …....... done
    Saving updated package information...
    done.
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Executing custom_php_install_command()...Saved settings detected.
    Migrating settings to new configuration... done.
    Downloading Snort VRT rules md5 file... done.
    Checking Snort VRT rules md5 file... done.
    There is a new set of Snort VRT rules posted.
    Downloading snortrules-snapshot-2990.tar.gz... done.
    Snort VRT rules file MD5 checksum failed...
    Downloading Snort GPLv2 Community Rules md5 file... done.
    Checking Snort GPLv2 Community Rules md5 file... done.
    There is a new set of Snort GPLv2 Community Rules posted.
    Downloading community-rules.tar.gz... done.
    Snort GPLv2 Community Rules file MD5 checksum failed...
    Downloading Emerging Threats Open rules md5 file... done.
    Checking Emerging Threats Open rules md5 file... done.
    There is a new set of Emerging Threats Open rules posted.
    Downloading emerging.rules.tar.gz... done.
    Emerging Threats Open rules file MD5 checksum failed...
    Cleaning up temp dirs and files... done.
    The Rules update has finished.
    Generating snort.conf configuration file from saved settings.
    Generating configuration for WAN_1...
    done.
    Generating configuration for WAN_2...
    done.
    Generating snort.sh script in /usr/local/etc/rc.d/... done.
    Finished rebuilding Snort configuration files.
    done.
    Executing custom_php_resync_config_command()...

    done.
    Menu items... done.
    Services... done.

    Take a look in the /tmp directory for the downloaded rules archives.  They will be located in a sub-directory called snort_rules_up.  See what the file sizes are; if they look correct, compute the MD5 yourself using the md5sum utility.  Compare the value you get with that posted on the Snort VRT web site.

    All that happens during rules download is the gzip archive and the associated MD5 checksum text file is downloaded from the Snort VRT site (really an Amazon Web Services server), then the local md5 sum function in PHP is used to calculate the MD5 hash of the downloaded gzip archive.  It is compared to the text value pulled from the downloaded MD5 checksum posted along with the rule archive.  If they don't match, then the error is thrown and the rules update aborts on the assumption the downloaded gzip archive is corrupt.

    How much free space do you have in /tmp?  The only time I've seen all three sets of rule gzip archives fail the md5 check (Snort VRT, Community and Emerging Threats) is when there is not enough free space on /tmp.

    Bill



  • Hi Bill. Thanks for your help. /tmp only has mnt and snap as subdirectories …

    is /tmp part of a longer path?  Thanks



  • @chc-pr:

    Hi Bill. Thanks for your help. /tmp only has mnt and snap as subdirectories …

    is /tmp part of a longer path?  Thanks

    No, it is directly off the root but I forgot about something in my earlier reply.  When the update process completes (even if unsuccessful), it deletes the temporary sub-directory it created to hold the downloaded gzip rules archive.  So you will not see it except during the interval the rules update process is running.

    Still, though, how much free space is showing?  Getting MD5 errors on VRT, Coummunity and ET archives is a rare occurrence.  Is there anything unusual in your setup such as a proxy (Squid, for example)?

    Bill


Log in to reply