Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] snort faield to up date rules

    Scheduled Pinned Locked Moved IDS/IPS
    8 Posts 3 Posters 957 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scorpoin
      last edited by scorpoin

      I've installed snort 3.2.9.8_6 pfsense version 2.4.4 . When I click on update it fail with following error log file.

      Starting rules update... Time: 2019-07-02 19:47:09
      Downloading Snort Subscriber rules md5 file snortrules-snapshot-29120.tar.gz.md5...
      Snort Subscriber rules md5 download failed.
      Server returned error code 505.
      Server error message was: 505 HTTP Version Not Supported
      Snort Subscriber rules will not be updated.

      I search in package manager for update package but keep getting verison 3 as updated.

      Regards

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by NogBadTheBad

        Works fine here.

        You have got a valid Oinkmaster Code ?

        Services -> Snort -> Global Settings -> Snort Subscriber Rules

        https://forum.netgate.com/topic/71578/pfsense-snort-vrt-subsciption-error-505-solved

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Make sure your Oinkcode is still valid (not expired, if using a paid subscription) and also make sure there is no extra space at the beginning or end of the Oinkcode in the text box on the GLOBAL SETTINGS page.

          You might also just need to wait a bit and try again. Snort rules are hosted on AWS infrastructure, and depending on where you are in the world you may be hitting a different physical server than @NogBadTheBad or I would. You have the latest version of the Snort package, so don't worry about an update. You either have something wrong with your Oinkcode or the server you are getting directed to for rules download has a temporary issue.

          1 Reply Last reply Reply Quote 0
          • S
            scorpoin
            last edited by

            thanks for respoinse , I'm also using pfblockerng is this a case where it might be blocked? can any one share me the update url so I will add it into white-list in pfblocker-ng . I'm using free subscription for now.

            Regards

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @scorpoin
              last edited by bmeeks

              @scorpoin said in snort faield to up date rules:

              thanks for respoinse , I'm also using pfblockerng is this a case where it might be blocked? can any one share me the update url so I will add it into white-list in pfblocker-ng . I'm using free subscription for now.

              Regards

              Yes, there have been reported instances in the past where the AWS IP space used by the Snort rules update process has gotten on an IP list that users may enable in pfBlockerNG.

              This is the base URL: https://www.snort.org/rules/. Your Oinkcode is added to the end as a query string.

              I'll repeat my troubleshooting advice one more time here for all to see. ANYTIME you are getting failures of downloads or similar issues and you are running Snort, Suricata or pfBlockerNG you should immediately suspect one of those as the potential cause and starting disabling them in some sequence to find the culprit. In this case, since Snort nor Suricata is likely to block their own downloads, I would have suspected pfBlockerNG and disabled it first to see if the rules update succeeds. If it does, then you have found your problem and can then look for a solution.

              S 1 Reply Last reply Reply Quote 0
              • S
                scorpoin @bmeeks
                last edited by

                @bmeeks said in snort faield to up date rules:

                @scorpoin said in snort faield to up date rules:

                thanks for respoinse , I'm also using pfblockerng is this a case where it might be blocked? can any one share me the update url so I will add it into white-list in pfblocker-ng . I'm using free subscription for now.

                Regards

                Yes, there have been reported instances in the past where the AWS IP space used by the Snort rules update process has gotten on an IP list that users may enable in pfBlockerNG.

                This is the base URL: https://www.snort.org/rules/. Your Oinkcode is added to the end as a query string.

                I'll repeat my troubleshooting advice one more time here for all to see. ANYTIME you are getting failures of downloads or similar issues and you are running Snort, Suricata or pfBlockerNG you should immediately suspect one of those as the potential cause and starting disabling them in some sequence to find the culprit. In this case, since Snort nor Suricata is likely to block their own downloads, I would have suspected pfBlockerNG and disabled it first to see if the rules update succeeds. If it does, then you have found your problem and can then look for a solution.

                @beemks thank you very much issue is resolved , bymistake I added an extra space in Oinkcode . Mark this thread as solved

                Regards

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @scorpoin
                  last edited by bmeeks

                  @scorpoin said in [Solved] snort faield to up date rules:

                  @beemks thank you very much issue is resolved , bymistake I added an extra space in Oinkcode . Mark this thread as solved

                  Regards

                  I've added an entry to my internal bug tracking list to check for and trim off any extraneous spaces on the Oinkcode or ET-Pro code before storing them in the configuration. I'll put that in the next update for Snort. Neither of those codes should have spaces in them, but it's easy for one to slip in unnoticed since you can't see it on the screen.

                  1 Reply Last reply Reply Quote 0
                  • S
                    scorpoin
                    last edited by

                    yups fixed this in next release to avoid extra space.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.