Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort 3.2.9.5_4 - Release Notes

    IDS/IPS
    5
    8
    998
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeks
      bmeeks last edited by

      Snort 3.2.9.5_4

      This update to the Snort package changes the URL for downloading the OpenAppID open rules package.  This rules package is maintained by a volunteer contributor and was formerly hosted at a University web site in Brazil.  That web site employs geo-protection, and thus Snort users in some countries were unable to download the OpenAppID rules.  The pfSense team has worked out an agreement with the rules package creator to host the package on pfSense infrastructure.  This will eliminate the geo-blocking issue.  No action is required on your part.  The URL change is automatic.

      Note to SG-3100 and other ARM hardware users:
      This package update does not address the problems within the Snort binary on ARM CPUs.  We are still trying to fix that issue.

      Bill

      1 Reply Last reply Reply Quote 0
      • R
        Ramosel last edited by

        @bmeeks:

        Snort 3.2.9.5_4

        This update to the Snort package changes the URL for downloading the OpenAppID open rules package.

        Thanks Bill,
        This issue has presented a few glitches with some Unbound/pfBlockerNG/TLD listings that BBCan177 and I have had to work through on a few occasions.

        Rick

        1 Reply Last reply Reply Quote 0
        • B
          bcruze last edited by

          is this the same as the facebook post pfsense posted yesterday?  it advertised facebook blocking and other popular apps.  i reinstalled snort on my sg2220 last night and i don't see how to block facebook or anything posted in that online post .

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @bcruze:

            is this the same as the facebook post pfsense posted yesterday?  it advertised facebook blocking and other popular apps.  i reinstalled snort on my sg2220 last night and i don't see how to block facebook or anything posted in that online post .

            Did you follow the link in that blog post to the "How To" document?  There are several steps involved in configuring OpenAppID in Snort.  It's more than just clicking the two checkboxes on the GLOBAL SETTINGS tab.  There are specific rules that have to be enabled as well on the RULES tab.  The various OpenAppID signatures are divided into various categories on that tab once you enable the rules and download them.

            Bill

            1 Reply Last reply Reply Quote 0
            • R
              revengineer last edited by

              I wanted to test the OpenAppID feature, but I cannot get the rules to download. The log entries are shown below. I have no problems downloading the rule files directly using the URL http://files.pfsense.org/openappid/appid_rules.tar.gz. Does anyone know what I am missing?

              Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
              Checking Snort OpenAppID RULES detectors md5 file...
              There is a new set of Snort OpenAppID RULES detectors posted.
              Downloading file 'appid_rules.tar.gz'...
              Done downloading rules file.
              Snort OpenAppID RULES detectors file download failed.  Bad MD5 checksum.
              Downloaded Snort OpenAppID RULES detectors file MD5: 4a919586ee271f633a04b406b1332bf9
              Expected Snort OpenAppID RULES detectors file MD5: d4539caec45fdb0484ded9de593e0dc4
              Snort OpenAppID RULES detectors file download failed.  Snort OpenAppID RULES detectors will not be updated.
              
              1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks last edited by

                @revengineer:

                I wanted to test the OpenAppID feature, but I cannot get the rules to download. The log entries are shown below. I have no problems downloading the rule files directly using the URL http://files.pfsense.org/openappid/appid_rules.tar.gz. Does anyone know what I am missing?

                Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
                Checking Snort OpenAppID RULES detectors md5 file...
                There is a new set of Snort OpenAppID RULES detectors posted.
                Downloading file 'appid_rules.tar.gz'...
                Done downloading rules file.
                Snort OpenAppID RULES detectors file download failed.  Bad MD5 checksum.
                Downloaded Snort OpenAppID RULES detectors file MD5: 4a919586ee271f633a04b406b1332bf9
                Expected Snort OpenAppID RULES detectors file MD5: d4539caec45fdb0484ded9de593e0dc4
                Snort OpenAppID RULES detectors file download failed.  Snort OpenAppID RULES detectors will not be updated.
                

                The problem is given in the error message.  The MD5 checksum check failed.  That means either your download got corrupted, or the MD5 file on the pfSense site is not correct for the current gzip rules archive.  Usually these kinds of errors auto-correct if you just wait a few hours or a day for things to get sorted out on the hosting site.

                Bill

                1 Reply Last reply Reply Quote 0
                • R
                  revengineer last edited by

                  @bmeeks:

                  The problem is given in the error message.  The MD5 checksum check failed.  That means either your download got corrupted, or the MD5 file on the pfSense site is not correct for the current gzip rules archive.  Usually these kinds of errors auto-correct if you just wait a few hours or a day for things to get sorted out on the hosting site.

                  Bill

                  Thank you for the response. I just checked and the problem indeed fixed itself. The rules have loaded and I can start experimenting with application blocking.

                  1 Reply Last reply Reply Quote 0
                  • S
                    Snailkhan last edited by

                    i too am having same issue. i will also wait to see if it resoles for itself

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post