ET URL changed? => snort download error 404



  • Hi,

    we are using VRT subscription and wanted to add ET free rules.
    We have not been able to download rule sets for ET (results in 404).
    If I'm right, in case VRT is enabled the download URL for ET is not …/open/... but .../open-nogpl/...
    So the download URL constructed is like .../open-nogpl/snort-ET_VERSION/...
    But this directory does not contain any files.  They seem to have changed the URL to this:
    https://rules.emergingthreatspro.com/open-nogpl/snort-2.9.0/snort-2.9.0-enhanced/
    Means they added directory "snort-2.9.0-enhanced".
    I added the following line after line #86 in snort_check_for_rule_updates.php:
    $emergingthreats_url .= $vrt_enabled == "on" ? "snort-" . ET_VERSION . "-enhanced/" : "";
    I don't know if the URL change is persistent and I am not sure if the change I made was correct, but currently it seems to work.

    Cheers!
    demux.


  • Galactic Empire

    Starting rules update…  Time: 2018-01-18 08:24:20
    Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    Snort VRT rules are up to date.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    Checking Snort OpenAppID detectors md5 file...
    Snort OpenAppID detectors are up to date.
    Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
    Checking Snort OpenAppID RULES detectors md5 file...
    There is a new set of Snort OpenAppID RULES detectors posted.
    Downloading file 'appid_rules.tar.gz'...
    Done downloading rules file.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Emerging Threats Open rules md5 download failed.
    Server returned error code 404.
    Server error message was: 404 Not Found
    Emerging Threats Open rules will not be updated.
    Extracting and installing Snort OpenAppID detectors...
    Installation of Snort OpenAppID detectors completed.
    The Rules update has finished.  Time: 2018-01-18 08:24:23



  • Yeah, I'm seeing the same error this morning on my home setup with Snort and the ET-Open rules.  I need to investigate a bit to see if the URL change is permanent or a temporary goof.  I have a Snort GUI update almost finished, so it will be easy to add this fix to it if the URL change is permanent.

    For a temp workaround you can follow the advice of @demux and modify the file shown at the line number given.

    Edit:  Does anyone have an official mailing list notification, or any notification, of this URL change for the Snort version of Emerging Threats rules?  So far Google has given me no clues.

    Bill


  • Galactic Empire

    Nope, I've even checked their twitter account.



  • @NogBadTheBad:

    Nope, I've even checked their twitter account.

    I did not see anything either announcing the change.  I'm starting to believe it might be a glitch.  I've sent an email to a high-level contact I had at Emerging Threats, but so far have not received a reply.

    I am inclined to wait a day or two to see if this self-corrects before making a change in the Snort GUI code.

    Bill


  • Galactic Empire

    Got a reply back from the ET guys :-

    it has slightly changed per https://marc.info/?l=emerging-sigs&m=151182236202050&w=2

    But what you are seeing looks to be a mistake. I've forwarded to the responsible party.


  • Galactic Empire

    Fixed :)

    Starting rules update…  Time: 2018-01-18 21:49:56
    Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    Snort VRT rules are up to date.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    Checking Snort OpenAppID detectors md5 file...
    Snort OpenAppID detectors are up to date.
    Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
    Checking Snort OpenAppID RULES detectors md5 file...
    There is a new set of Snort OpenAppID RULES detectors posted.
    Downloading file 'appid_rules.tar.gz'...
    Done downloading rules file.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    There is a new set of Emerging Threats Open rules posted.
    Downloading file 'emerging.rules.tar.gz'…
    Done downloading rules file.
    Extracting and installing Snort OpenAppID detectors…
    Installation of Snort OpenAppID detectors completed.
    Extracting and installing Emerging Threats Open rules...
    Installation of Emerging Threats Open rules completed.
    Copying new config and map files...
    Updating rules configuration for: WAN ...
    Updating rules configuration for: LAN ...
    Updating rules configuration for: USER ...
    Updating rules configuration for: GUEST ...
    Updating rules configuration for: IOT ...
    Updating rules configuration for: DMZ ...
    Updating rules configuration for: VOICE ...
    Restarting Snort to activate the new set of rules...
    Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2018-01-18 21:51:36


  • Galactic Empire

    Great work!



  • @NogBadTheBad:

    Got a reply back from the ET guys :-

    it has slightly changed per https://marc.info/?l=emerging-sigs&m=151182236202050&w=2

    But what you are seeing looks to be a mistake. I've forwarded to the responsible party.

    The slight change in the URL linked by @NogTheBad will be included in the next Snort GUI update which should be out in a few days.  I had already made that change and tested over this past weekend, so I was a bit perplexed when the URL suddenly changed again and stopped working today …  ???.  Glad the ET guys got it fixed up.

    Bill


Log in to reply