Snort OpenAppID RULES Detectors

Kenton · Jan 25, 2018, 9:47 AM

I have been unable to download the Snort OpenAppID RULES Detectors rules for the past month. The log displays that there is a bad checksum on the file.

Upon looking through previous messages on this board, I have noticed this has happened before. This was fixed by contacting the contributor to change the checksum on the download.

Snort OpenAppID RULES detectors file download failed. Bad MD5 checksum.
Downloaded Snort OpenAppID RULES detectors file MD5: 4a919586ee271f633a04b406b1332bf9
Expected Snort OpenAppID RULES detectors file MD5: d4539caec45fdb0484ded9de593e0dc4
Snort OpenAppID RULES detectors file download failed. Snort OpenAppID RULES detectors will not be updated.

Thanks in advance
Kenton

NogBadTheBad · Jan 25, 2018, 10:37 AM

Just forced an update of my rules, everything downloaded fine :-

Rule Set Name/Publisher	MD5 Signature Hash	MD5 Signature Date
Snort VRT Rules	0bbf066f32c293f3422c3ed6aa2ffbaa	Thursday, 25-Jan-18 10:12:07 GMT
Snort GPLv2 Community Rules	ab9939deac5899ae6cc465ccc2b66e14	Thursday, 25-Jan-18 10:12:08 GMT
Emerging Threats Open Rules	73cc2d54baeb2a5f50f4770b315de2cc	Thursday, 25-Jan-18 10:12:09 GMT
Snort OpenAppID Detectors	2a08c2d738c8669017953bd9c59dd4f7	Thursday, 25-Jan-18 10:12:07 GMT
Snort OpenAppID RULES Detectors	2c26cb4f6a3bc03ab9c8e02befcf6fe1	Thursday, 25-Jan-18 10:12:07 GMT

What version of pfSense & snort are you running ?

Kenton · Jan 25, 2018, 1:35 PM

Thanks NogBadTheBad for your reply

I am running the current version 2.3.4-RELEASE-p1 of pfSense and version 3.2.9.5_3 of Snort. Forcing an update still does not allow this file to download and install, though I am able to download from the link on the Global Settings tab. This would eliminate the possibility of being blocked by Geo-IP from the Brazilian hosting site.

Included below are the signatures of the downloaded rule sets.

Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date
Snort VRT Rules 7d5ddef87d21a78c8f51a960053ad97f Thursday, 25-Jan-18 21:19:29 AWST
Snort GPLv2 Community Rules ab9939deac5899ae6cc465ccc2b66e14 Thursday, 25-Jan-18 21:19:29 AWST
Emerging Threats Open Rules 73cc2d54baeb2a5f50f4770b315de2cc Thursday, 25-Jan-18 21:19:32 AWST
Snort OpenAppID Detectors 2a08c2d738c8669017953bd9c59dd4f7 Thursday, 25-Jan-18 21:19:29 AWST
Snort OpenAppID RULES Detectors Not Downloaded Not Downloaded

Any suggestions would be appreciated before I try removing Snort and re-installing.

bmeeks · Jan 25, 2018, 3:07 PM

@Kenton:

Thanks NogBadTheBad for your reply

I am running the current version 2.3.4-RELEASE-p1 of pfSense and version 3.2.9.5_3 of Snort. Forcing an update still does not allow this file to download and install, though I am able to download from the link on the Global Settings tab. This would eliminate the possibility of being blocked by Geo-IP from the Brazilian hosting site.

Included below are the signatures of the downloaded rule sets.

Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date
Snort VRT Rules 7d5ddef87d21a78c8f51a960053ad97f Thursday, 25-Jan-18 21:19:29 AWST
Snort GPLv2 Community Rules ab9939deac5899ae6cc465ccc2b66e14 Thursday, 25-Jan-18 21:19:29 AWST
Emerging Threats Open Rules 73cc2d54baeb2a5f50f4770b315de2cc Thursday, 25-Jan-18 21:19:32 AWST
Snort OpenAppID Detectors 2a08c2d738c8669017953bd9c59dd4f7 Thursday, 25-Jan-18 21:19:29 AWST
Snort OpenAppID RULES Detectors Not Downloaded Not Downloaded

Any suggestions would be appreciated before I try removing Snort and re-installing.

Make sure you have the latest version of the Snort package installed. The internal URL was changed from the Brazilian University to a pfSense hosting site. Your problem may be your Snort version is trying to download an out-of-date version of the archive.

Bill

Kenton · Jan 26, 2018, 12:25 AM

Thanks bmeeks

I re-installed Snort, using the reinstall package button on the Package Manager window, though this has not allowed me to install Snort OpenAppID RULES Detectors. Do I have to completely remove Snort and them download again or is what I did what you had in mind?

bmeeks · Jan 26, 2018, 4:36 AM

@Kenton:

Thanks bmeeks

I re-installed Snort, using the reinstall package button on the Package Manager window, though this has not allowed me to install Snort OpenAppID RULES Detectors. Do I have to completely remove Snort and them download again or is what I did what you had in mind?

Are you using RAM disks? If so, you might be running out of space on /tmp. You need at least 300 MB of free space on that partition to download all of the rule archives. I strongly recommend nobody use RAM disks for Snort or Suricata!

This download is apparently working for others now or I would expect to see a lot of posts about problems. There were issues a few weeks ago, but those should all be ironed out now.

Bill

Kenton · Jan 26, 2018, 8:53 AM

Hi bmeeks

I have checked my settings and I do not have the RamDisk setting on. As I am new to pfSense can you list the steps to check? So far I have uninstalled Snort and them installed again keeping my original settings.

There may be something that I have checked that is interfering with the download. Not sure what it is through.