[Solved] snort faield to up date rules

scorpoin

I've installed snort 3.2.9.8_6 pfsense version 2.4.4 . When I click on update it fail with following error log file.

Starting rules update... Time: 2019-07-02 19:47:09
Downloading Snort Subscriber rules md5 file snortrules-snapshot-29120.tar.gz.md5...
Snort Subscriber rules md5 download failed.
Server returned error code 505.
Server error message was: 505 HTTP Version Not Supported
Snort Subscriber rules will not be updated.

I search in package manager for update package but keep getting verison 3 as updated.

Regards

NogBadTheBad

Works fine here.

You have got a valid Oinkmaster Code ?

Services -> Snort -> Global Settings -> Snort Subscriber Rules

https://forum.netgate.com/topic/71578/pfsense-snort-vrt-subsciption-error-505-solved

bmeeks

Make sure your Oinkcode is still valid (not expired, if using a paid subscription) and also make sure there is no extra space at the beginning or end of the Oinkcode in the text box on the GLOBAL SETTINGS page.

You might also just need to wait a bit and try again. Snort rules are hosted on AWS infrastructure, and depending on where you are in the world you may be hitting a different physical server than @NogBadTheBad or I would. You have the latest version of the Snort package, so don't worry about an update. You either have something wrong with your Oinkcode or the server you are getting directed to for rules download has a temporary issue.

scorpoin

thanks for respoinse , I'm also using pfblockerng is this a case where it might be blocked? can any one share me the update url so I will add it into white-list in pfblocker-ng . I'm using free subscription for now.

Regards

bmeeks

@scorpoin said in snort faield to up date rules:

thanks for respoinse , I'm also using pfblockerng is this a case where it might be blocked? can any one share me the update url so I will add it into white-list in pfblocker-ng . I'm using free subscription for now.

Regards

Yes, there have been reported instances in the past where the AWS IP space used by the Snort rules update process has gotten on an IP list that users may enable in pfBlockerNG.

This is the base URL: https://www.snort.org/rules/. Your Oinkcode is added to the end as a query string.

I'll repeat my troubleshooting advice one more time here for all to see. ANYTIME you are getting failures of downloads or similar issues and you are running Snort, Suricata or pfBlockerNG you should immediately suspect one of those as the potential cause and starting disabling them in some sequence to find the culprit. In this case, since Snort nor Suricata is likely to block their own downloads, I would have suspected pfBlockerNG and disabled it first to see if the rules update succeeds. If it does, then you have found your problem and can then look for a solution.

scorpoin

@bmeeks said in snort faield to up date rules:

@scorpoin said in snort faield to up date rules:

thanks for respoinse , I'm also using pfblockerng is this a case where it might be blocked? can any one share me the update url so I will add it into white-list in pfblocker-ng . I'm using free subscription for now.

Regards

Yes, there have been reported instances in the past where the AWS IP space used by the Snort rules update process has gotten on an IP list that users may enable in pfBlockerNG.

This is the base URL: https://www.snort.org/rules/. Your Oinkcode is added to the end as a query string.

I'll repeat my troubleshooting advice one more time here for all to see. ANYTIME you are getting failures of downloads or similar issues and you are running Snort, Suricata or pfBlockerNG you should immediately suspect one of those as the potential cause and starting disabling them in some sequence to find the culprit. In this case, since Snort nor Suricata is likely to block their own downloads, I would have suspected pfBlockerNG and disabled it first to see if the rules update succeeds. If it does, then you have found your problem and can then look for a solution.

@beemks thank you very much issue is resolved , bymistake I added an extra space in Oinkcode . Mark this thread as solved

Regards

bmeeks

@scorpoin said in [Solved] snort faield to up date rules:

@beemks thank you very much issue is resolved , bymistake I added an extra space in Oinkcode . Mark this thread as solved

Regards

I've added an entry to my internal bug tracking list to check for and trim off any extraneous spaces on the Oinkcode or ET-Pro code before storing them in the configuration. I'll put that in the next update for Snort. Neither of those codes should have spaces in them, but it's easy for one to slip in unnoticed since you can't see it on the screen.

scorpoin

yups fixed this in next release to avoid extra space.