Snort Update rules failed



  • Hi All,
    Recent days, our pfsense system cannot update rules as below:

    
    Starting rules update...  Time: 2017-08-06 08:05:00
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
    	Checking Snort VRT rules md5 file...
    	Snort VRT rules are up to date.
    	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    	Checking Snort OpenAppID detectors md5 file...
    	Snort OpenAppID detectors are up to date.
    	Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
    	Snort OpenAppID RULES detectors md5 download failed.
    	Server returned error code 0.
    	Server error message was: Resolving timed out after 15212 milliseconds
    	Snort OpenAppID RULES detectors will not be updated.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading rules file.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	Emerging Threats Open rules are up to date.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    	Restarting Snort to activate the new set of rules...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2017-08-06 08:07:27
    
    Starting rules update...  Time: 2017-08-06 20:05:00
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
    	Checking Snort VRT rules md5 file...
    	Snort VRT rules are up to date.
    	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    	Checking Snort OpenAppID detectors md5 file...
    	Snort OpenAppID detectors are up to date.
    	Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
    	Snort OpenAppID RULES detectors md5 download failed.
    	Server returned error code 0.
    	Server error message was: Resolving timed out after 15234 milliseconds
    	Snort OpenAppID RULES detectors will not be updated.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	Snort GPLv2 Community Rules are up to date.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	Emerging Threats Open rules are up to date.
    The Rules update has finished.  Time: 2017-08-06 20:07:11
    
    Starting rules update...  Time: 2017-08-07 08:05:00
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
    	Checking Snort VRT rules md5 file...
    	Snort VRT rules are up to date.
    	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    	Checking Snort OpenAppID detectors md5 file...
    	Snort OpenAppID detectors are up to date.
    	Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
    	Snort OpenAppID RULES detectors md5 download failed.
    	Server returned error code 0.
    	Server error message was: Resolving timed out after 15815 milliseconds
    	Snort OpenAppID RULES detectors will not be updated.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading rules file.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	Emerging Threats Open rules are up to date.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    	Restarting Snort to activate the new set of rules...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2017-08-07 08:07:36
    
    

    Specially, sometimes the system return error and cannot start service as usual. I have to start Snort manually. It makes our system being in risk because of attackers. Please help me to solve this issue. Thank you.



  • Both of our pfsense firmware version is: 2.3.4-RELEASE (amd64)
    I have not upgraded firmware to the latest version because there is some guys claimed about error after upgrading.



  • If this error is a constant repeat, it may mean the site hosting the OpenAppID rules tarball is blocking your country.  I know some other users have reported geo-block issues when trying to use the OpenAppID rules.  Those rules are written and supplied by a third party and hosted on a University web site in Brazil.  That web site operator geo-blocks certain countries.  Nothing you can do about that if you are one of the blocked countries except maybe try a VPN.

    Bill



  • @bmeeks:

    If this error is a constant repeat, it may mean the site hosting the OpenAppID rules tarball is blocking your country.  I know some other users have reported geo-block issues when trying to use the OpenAppID rules.  Those rules are written and supplied by a third party and hosted on a University web site in Brazil.  That web site operator geo-blocks certain countries.  Nothing you can do about that if you are one of the blocked countries except maybe try a VPN.

    Bill

    You are correct. They banned our IP  :-\ We still having issues with Snort even after upgrading pfsense to the latest firmware version. I've unchecked the both 2 options of OpenAppID in the global setting. Let's see if the Snort stop working again or not in the next few days. Thank you so much for your help.



  • @bmeeks It seems to be fine after 5 days. Appreciate for your help, Bill :)