Snort Rules Update is failing



  • Almost every time an automatic update to the subscribed Snort rule set takes place it fails and the log shows, "Downloading Snort Subscriber rules md5 file snortrules-snapshot-29120.tar.gz.md5...Snort Subscriber rules md5 download failed. Server returned error code 500. Server error message was: 500 Internal Server Error. Snort Subscriber rules will not be updated." I can manually kick off the update and it succeeds. Is there anyone else experiencing this issue and is there a resolution. I'm on the latest prod version of pfSense.

    Thanks,
    Jon



  • What time of day do you have configured for your automatic update? I've found that anything around midnight US Eastern time will frequently fail as that is apparently when the file is being updated on the Amazon Web Services site. No proof of this theory, just an idea ... 😕 .

    The fact a manual update suceeds for you leads me to think you may have that midnight problem. Try moving the update to some other time. I use 0130 (1:30 AM US Eastern Time) and mine never fails. A long time ago, my midnight updates frequently failed.

    Earlier this week, late at night while testing some Snort code changes, I was uninstalling and re-installing Snort on a virtual machine over and over. Things were going great until around midnight (about 15 minutes before and after, to be exact), then the rules download would fail with the 500 error for the MD5 file just like you are getting. I continued my coding and testing anyway since I didn't need the Snort Subscriber rules for testing, and after about 12:30 AM the downloads started working again.