Snort rules update in 2.4.3-RELEASE-p1
-
Hello,
I'm a first time user of PFSense. I'm setting it up in a virtual environment to test it out. I have a basic setup. I installed the SNORT package. For that package I applied the Oinkmaster code to get the free Registered Rules, the Snort GPLv2 Community rules, the ET Rules Open, and the OpenAppID detectors just to test how much of an effect all of these would have on PFSense. However I get an error only for the Snort free Registered User download. The log is below. I did a search already in the community for the error and nothing came up.
Starting rules update... Time: 2018-08-22 21:50:46
Downloading Snort Subscriber rules md5 file snortrules-snapshot-29111.tar.gz.md5...
Snort Subscriber rules md5 download failed.
Server returned error code 505.
Server error message was: 505 HTTP Version Not Supported
Snort Subscriber rules will not be updated.
Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
Checking Snort OpenAppID detectors md5 file...
Snort OpenAppID detectors are up to date.
Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
Checking Snort GPLv2 Community Rules md5 file...
Snort GPLv2 Community Rules are up to date.
Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
Checking Emerging Threats Open rules md5 file...
Emerging Threats Open rules are up to date.
The Rules update has finished. Time: 2018-08-22 21:50:47The fact that the other rules downloaded properly at least tells me that the module is working properly, but perhaps the code for retrieving the Snort Subscriber rules is using an older non-supported HTTP version call. Any ideas would be appreciated!
Thanks!
-
Mine is still working fine. Just checked and Snort Subscriber rules are reading the MD5 file and updating as necessary. Do you have any kind of proxy like squid or something between your firewall and the Internet? The Snort rules are hosted from Amazon Web Services servers. In some cases "bad IP lists" such as used in pfBlocker will false positive on some AWS IP addresses used by the Snort team to host their rules.
You might also want to double-verify you don't have a typo in your Oinkcode.
-
@rw2 said in Snort rules update in 2.4.3-RELEASE-p1:
Server returned error code 505.
Server error message was: 505 HTTP Version Not SupportedThat is an odd message... If it was blocked, I'd expect to see a different error code? What version of pfSense are you using?
-
@bbcan177 said in Snort rules update in 2.4.3-RELEASE-p1:
@rw2 said in Snort rules update in 2.4.3-RELEASE-p1:
Server returned error code 505.
Server error message was: 505 HTTP Version Not SupportedThat is an odd message... If it was blocked, I'd expect to see a different error code? What version of pfSense are you using?
I agree that a different error message is typically received. The Snort package uses the standard curl library on the firewall to request rules downloads, and that library follows current protocols.
-
Agreed! It is an odd message. The PFSense version I'm running is 2.4.3-RELEASE-p1. There is no proxy in between the firewall and Internet. Also if you look at the log file I posted, you can see that when I hit the update button, it was able to download the 3 other signature files without problems.
That is why I was wondering if there was some unknown issue with the update or something considering that the other files downloaded just fine.
-
@bbcan177 said in Snort rules update in 2.4.3-RELEASE-p1:
@rw2 said in Snort rules update in 2.4.3-RELEASE-p1:
Server returned error code 505.
Server error message was: 505 HTTP Version Not SupportedThat is an odd message... If it was blocked, I'd expect to see a different error code? What version of pfSense are you using?
Agreed! It is an odd message. The PFSense version I'm running is 2.4.3-RELEASE-p1. There is no proxy in between the firewall and Internet. Also if you look at the log file I posted, you can see that when I hit the update button, it was able to download the 3 other signature files without problems.
That is why I was wondering if there was some unknown issue with the update or something considering that the other files downloaded just fine.
-
The rules update appears to be working fine for me, and I have the latest 3.2.9.7_1 version of the Snort package on 2.4.3 RELEASE pfSense. Here is my log from about 40 minutes ago (these times are US Eastern):
Starting rules update... Time: 2018-08-23 13:30:00 Downloading Snort Subscriber rules md5 file snortrules-snapshot-29111.tar.gz.md5... Checking Snort Subscriber rules md5 file... There is a new set of Snort Subscriber rules posted. Downloading file 'snortrules-snapshot-29111.tar.gz'... Done downloading rules file. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Extracting and installing Snort Subscriber Ruleset... Using Snort Subscriber precompiled SO rules for FreeBSD-10-0 ... Installation of Snort Subscriber rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2018-08-23 13:31:14
as can be seen from the log, it checked for, found, and downloaded the latest snortrules-snapshot-2.9111.tar.gz file.
-
Thanks for the responses!
It is interesting as I just installed the Snort package the other day so I THOUGHT it would be the most up to date. If the problem was with the OINK code, then it makes sense that the error would be different also.
The 505 code makes it seem like the client cannot speak with the server properly to get the ruleset.
Perhaps it was the time of day - something wrong on the server end with retrieving the file. I'll have to try again later.