OpenAppID detectors download failed & after Snort release update for OpenAppID



  • Hi!

    We have problem with downloading

    Starting rules update…  Time: 2018-05-02 08:38:00
    Downloading Snort Subscriber rules md5 file snortrules-snapshot-29111.tar.gz.md5...
    Checking Snort Subscriber rules md5 file...
    Snort Subscriber rules are up to date.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    Snort OpenAppID detectors md5 download failed.
    Server returned error code 404.
    Server error message was: 404 Not Found
    Snort OpenAppID detectors will not be updated.
    Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5…
    Checking Snort OpenAppID RULES detectors md5 file...
    There is a new set of Snort OpenAppID RULES detectors posted.
    Downloading file 'appid_rules.tar.gz'...
    Done downloading rules file.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    Emerging Threats Open rules are up to date.
    Extracting and installing Snort OpenAppID detectors...
    Installation of Snort OpenAppID detectors completed.
    The Rules update has finished.  Time: 2018-05-02 08:38:02

    SNORT have update openappid detectors. Is this the a problem?

    https://blog.snort.org/2018/05/snort-openappid-detectors-have-been.html


    Tuesday, May 1, 2018
    Snort OpenAppID Detectors have been updated!
    An update has been released today for the Snort OpenAppID Detector content. This release, build 297, includes
    A total of 2,842 detectors.
    It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

    Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.11.0's OpenAppID preprocessor and sharing your experiences with the community.


    p.s.: i have remove and install fresh Snort pkg.



  • Nearly 100% of the time when you get an MD5 error with an update it means the file is not yet updated on the Snort rules site.  Wait for a while (maybe several hours even), and then run the update again.  Odds are it will succeed then.

    Here is how the MD5 files work with the rules archives.  The rule vendors (both Snort and Emerging Threats) post two files as part of each update.  One is a gzip archive containing the actual rules and the other file is a very short text file whose content is the MD5 checksum of the posted gzip archive.  The vendors have code that calculates the MD5 checksum of the gzip archive file and posts that checksum into the MD5 file.  The vendors use CDN (content distribution networks) of various types to load balance their traffic since tons of users around the world are downloading the files.  It is entirely possible that on a given server in the load-balance set that the posted MD5 file is not correct for the posted gzip archive.  That could be due to a file replication problem or a problem may have occurred during the checksum calculation process.

    In the Snort (and Suricata) package, the GUI code uses the posted MD5 file the verify that the downloaded gzip rules archive is intact.  The code downloads both the MD5 checksum file and the associated gzip archive from the vendor's web site.  The GUI code then does its own MD5 checksum calculation of the gzip archive content and compares the locally calculated result to the value contained in the MD5 file it downloaded from the vendor.  If they don't match, the code will log an error and abandon the update of that rules package on the assumption that the gzip archive is faulty (since it does not match the vendor's posted MD5 value).

    If you search the threads in the IDS/IPS sub-forum you will find this occurs from time to time during updates, and it should resolve itself automatically as soon as the posted MD5 checksum file on the vendor's web site matches the posted gzip archive file.

    Bill



  • UPDATE

    This problem turned out to be a typo in the updated MD5 filename on the Snort.org download site.  After some email communications with the Snort team the problem was corrected on their download site.  This issue should be resolved now.

    Bill


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy