Problem download Rules in Snort

Peter_APIIT · Dec 18, 2020, 3:40 AM

Dear All,
I try to download rule from pfsense gui but it failed many times. I don't know what is the reason. Can anyone pinpoint me the root causes? Thanks.

Peter_APIIT · Dec 18, 2020, 3:45 AM

This is the log i get it from System -> General.

[Snort] Snort GPLv2 Community Rules file download failed... server returned error '302'...

bmeeks · Dec 18, 2020, 1:57 PM

Go read this thread and follow the steps there to see if it helps with your problem: https://forum.netgate.com/topic/159093/snort-not-downloading-rules-pfsense-2-4-5-release-p1-snort-2-9-16-1. You may find the problem is self-inflicted like the user in the other thread discovered. The GPLv2 rules download has been tested and verified working several times recently.

Peter_APIIT · Dec 19, 2020, 4:28 AM

@bmeeks

The thread mentioned that need to disable DNSBL feature.
I had tried to stop the DNSBL service but it still failed to download the rules? How to completely disable DNSBL features?

I found the snort rule update log?

Starting rules update...  Time: 2020-12-18 20:02:51
	Downloading Snort Subscriber rules md5 file snortrules-snapshot-29161.tar.gz.md5...
	Snort Subscriber rules md5 download failed.
	Server returned error code .
	Server error message was: Failed to create file /tmp/snort_rules_up/snortrules-snapshot-29161.tar.gz.md5
	Snort Subscriber rules will not be updated.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Snort GPLv2 Community Rules md5 download failed.
	Server returned error code .
	Server error message was: Failed to create file /tmp/snort_rules_up/community-rules.tar.gz.md5
	Snort GPLv2 Community Rules will not be updated.
The Rules update has finished.  Time: 2020-12-18 20:02:51

This is the syslog I found.

[Snort] Rules download error: SSL certificate problem: unable to get local issuer certificate.

I check the Disable SSL verification when rule update. Now i got this error.

SSL: no alternative certificate subject name matches target host name 'snort-org-site.s3.amazonaws.com'

What is the solutions?

Thanks.

Peter_APIIT · Dec 19, 2020, 4:57 AM

I uninstall pfblokerng solved the problem.

bmeeks · Dec 19, 2020, 2:55 PM

@peter_apiit said in Problem download Rules in Snort:

I uninstall pfblokerng solved the problem.

That's what I suspected. When you install packages like pfBlockerNG and then subscribe and activate a bunch of feeds for it to block things from, you open yourself up to lots of potential issues. As I mentioned in other threads, those IP lists (feeds to use the pfBlockerNG term) are frequently poorly maintained by their creators. By that I mean they contain IP address subnets that house perfectly legitimate services. Like half the world probably uses Amazon Web Services (AWS) infrastructure, and thus its IP subnets, to host a service. So when some IP List or Feed you activate in pfBlockerNG does a very poor job of policing the list of IP addresses it uses and just plops an entire AWS subnet on the list without carefully and critically checking what they've done, then legitimate stuff gets blocked when it shouldn't be.

I am not a fan at all of loading up a bunch of IP address feeds and blocking everything on those lists. Not a very good way to manage your firewall in my personal opinion. Unless you are diligent and examine the lists carefully and review blocks very frequently in order to whitelist stuff, then you will get nuisance blocks often. What happened to you is a perfect example of what I'm talking about.