Snort not downloading rules (pfSense 2.4.5-RELEASE-p1 & Snort 2.9.16.1)


  • Two weeks ago I set up a pfSense firewall, I've installed two packages Snort and pfBlockerNG. Since installing Snort, it will only download Emerging Threats and AppID Open Text Rules. Subscriber Rulesets, Community Rules, and OpenAppID Detectors will not download, no matter what I do. All three kick back, "Server returned error 302."

    Things I've tried:
    -Force Update
    -Disabling pfBlockerNG before running an update
    -At first I was using a free Snort account, I then upgraded to a paid subscription
    -After upgrading and trying to download the rulesets, I regenerated my Oinkcode, and dropped it into Snort's Global Settings
    -Reinstalled Snort Package
    -Uninstalled Snort with the option "Click to retain Snort settings after package removal" checked and unchecked

    I also tried, SSH'ing into pfSense, and tried to manually download the .gz files into a temp folder, of the three only Subscriber rules (snortrules-snapshot-29161.tar.gz) would download, the other two would timeout. I have verified that I can download all three files to my desktop machine that is behind the pfSense firewall. When I go to extract the Subscriber rules, I get this, "tar: Error opening archive: Unrecognized archive format." As far as commands I used, since I'm not as experienced in Linux as I am with Windows, for downloading I used "fetch -l" that's a lowercase L, and for extracting I used "tar - xf".

    Short of trying a complete wipe of my firewall and installing a fresh copy of pfSense, I'm not sure what else to try.


  • @idontknowmeiguess said in Snort not downloading rules (pfSense 2.4.5-RELEASE-p1 & Snort 2.9.16.1):

    Two weeks ago I set up a pfSense firewall, I've installed two packages Snort and pfBlockerNG. Since installing Snort, it will only download Emerging Threats and AppID Open Text Rules. Subscriber Rulesets, Community Rules, and OpenAppID Detectors will not download, no matter what I do. All three kick back, "Server returned error 302."

    Things I've tried:
    -Force Update
    -Disabling pfBlockerNG before running an update
    -At first I was using a free Snort account, I then upgraded to a paid subscription
    -After upgrading and trying to download the rulesets, I regenerated my Oinkcode, and dropped it into Snort's Global Settings
    -Reinstalled Snort Package
    -Uninstalled Snort with the option "Click to retain Snort settings after package removal" checked and unchecked

    I also tried, SSH'ing into pfSense, and tried to manually download the .gz files into a temp folder, of the three only Subscriber rules (snortrules-snapshot-29161.tar.gz) would download, the other two would timeout. I have verified that I can download all three files to my desktop machine that is behind the pfSense firewall. When I go to extract the Subscriber rules, I get this, "tar: Error opening archive: Unrecognized archive format." As far as commands I used, since I'm not as experienced in Linux as I am with Windows, for downloading I used "fetch -l" that's a lowercase L, and for extracting I used "tar - xf".

    Short of trying a complete wipe of my firewall and installing a fresh copy of pfSense, I'm not sure what else to try.

    The correct command for unpacking a gzip archive like the Snort and ET rules is:

    tar -xzf
    

    The "z" tells the archive program that the file is in gzip format.

    My guess is something is screwy with DNS on your firewall. I may have asked this in your other thread, I'm not sure. Does the PC where the downloads work use the exact same DNS server as the firewall? That is very critical to your troubleshooting. The firewall will, by default unless you change it, use itself for DNS lookups. Specifically, again unless you changed something, it will use the local unbound daemon in resolver mode. I assume you have installed pfBlockerNG to perhaps take advantage of the DNSBL feature ??? If so, some IP list you've configured may have put the AWS IP address block where the Snort rules live on a blacklist. Those IP lists folks download from all over the place for "block lists" are very poorly maintained. Heck, some idiot list maintainer in the recent past put the Google DNS servers (8.8.8.8) on their block list.

    So I would turn off pfBlockerNG, make sure all of its auto-installed firewall rules are disabled, and then make sure the DNSBL feature is also disabled and the local resolver cache is flushed (emptied). Then try the Snort rules update in the GUI again.


  • @bmeeks SUCCESS! Disabling DNSBL was the solution. I thought that disabling pfBlockerNG would disable DNSBL at the same time, so I never checked it, well that's egg on my face.

    Thank you for your help and patience, now it's time to see why DNSBL is blocking Snort updates.


  • @idontknowmeiguess said in Snort not downloading rules (pfSense 2.4.5-RELEASE-p1 & Snort 2.9.16.1):

    @bmeeks SUCCESS! Disabling DNSBL was the solution. I thought that disabling pfBlockerNG would disable DNSBL at the same time, so I never checked it, well that's egg on my face.

    Thank you for your help and patience, now it's time to see why DNSBL is blocking Snort updates.

    DNSBL is somewhat separate from pfBlockerNG. What pfBlockerNG does is modify the configuration files for the unbound DNS daemon and then starts it with the new configuration. It will run with that configuration until it is changed again.

    I pretty much guarantee you that one of the IP lists you are using is the cause of the problem. As I mentioned, some of those lists are very poorly maintained and consequently wind up with bogus data in them (meaning perfectly safe and legitimate IP address segments get marked as "bad" when they really are not).