Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Beginning to Snort

    IDS/IPS
    4
    6
    341
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      noexit
      last edited by

      I'm a novice pfSense user and have been using it for my home system for several years now. I've decided to take on the next possible step and learn Snort for Intrusion Detection. I'm on pfSense 2.3.4-RELEASE-p1(i386) and installed Snort package 3.2.9.5_3 from the Package Manager. When attempting to apply the initial updates I'm returned an error 422 when downloading Snort VRT Rules and a recurring MD5 error when attempting to update the Snort OpenAppID RULES Detectors. Below are my last to attempts in the log. Any idea what I need to do next? Your support is greatly appreciated as I take on this new learning project:
      Starting rules update... Time: 2021-05-16 13:46:32
      Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
      Snort VRT rules md5 download failed.
      Server returned error code 422.
      Server error message was:
      Snort VRT rules will not be updated.
      Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
      Checking Snort OpenAppID detectors md5 file...
      Snort OpenAppID detectors are up to date.
      Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
      Checking Snort OpenAppID RULES detectors md5 file...
      There is a new set of Snort OpenAppID RULES detectors posted.
      Downloading file 'appid_rules.tar.gz'...
      Done downloading rules file.
      Snort OpenAppID RULES detectors file download failed. Bad MD5 checksum.
      Downloaded Snort OpenAppID RULES detectors file MD5: 4a919586ee271f633a04b406b1332bf9
      Expected Snort OpenAppID RULES detectors file MD5: d4539caec45fdb0484ded9de593e0dc4
      Snort OpenAppID RULES detectors file download failed. Snort OpenAppID RULES detectors will not be updated.
      Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
      Checking Snort GPLv2 Community Rules md5 file...
      Snort GPLv2 Community Rules are up to date.
      Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
      Checking Emerging Threats Open rules md5 file...
      Emerging Threats Open rules are up to date.
      The Rules update has finished. Time: 2021-05-16 13:46:41

      Starting rules update... Time: 2021-05-16 13:47:35
      Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
      Snort VRT rules md5 download failed.
      Server returned error code 422.
      Server error message was:
      Snort VRT rules will not be updated.
      Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
      Checking Snort OpenAppID detectors md5 file...
      There is a new set of Snort OpenAppID detectors posted.
      Downloading file 'snort-openappid.tar.gz'...
      Done downloading rules file.
      Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
      Checking Snort OpenAppID RULES detectors md5 file...
      There is a new set of Snort OpenAppID RULES detectors posted.
      Downloading file 'appid_rules.tar.gz'...
      Done downloading rules file.
      Snort OpenAppID RULES detectors file download failed. Bad MD5 checksum.
      Downloaded Snort OpenAppID RULES detectors file MD5: 4a919586ee271f633a04b406b1332bf9
      Expected Snort OpenAppID RULES detectors file MD5: d4539caec45fdb0484ded9de593e0dc4
      Snort OpenAppID RULES detectors file download failed. Snort OpenAppID RULES detectors will not be updated.
      Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
      Checking Snort GPLv2 Community Rules md5 file...
      There is a new set of Snort GPLv2 Community Rules posted.
      Downloading file 'community-rules.tar.gz'...
      Done downloading rules file.
      Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
      Checking Emerging Threats Open rules md5 file...
      There is a new set of Emerging Threats Open rules posted.
      Downloading file 'emerging.rules.tar.gz'...
      Done downloading rules file.
      Extracting and installing Snort OpenAppID detectors...
      Installation of Snort OpenAppID detectors completed.
      Extracting and installing Snort GPLv2 Community Rules...
      Installation of Snort GPLv2 Community Rules completed.
      Extracting and installing Emerging Threats Open rules...
      Installation of Emerging Threats Open rules completed.
      Copying new config and map files...
      Warning: No interfaces configured for Snort were found...
      The Rules update has finished. Time: 2021-05-16 13:47:48

      1 Reply Last reply Reply Quote 0
      • N
        noexit
        last edited by

        Could this problem be because I'm not a "Paid" user?

        J 1 Reply Last reply Reply Quote 0
        • J
          jdeloach @noexit
          last edited by jdeloach

          @noexit

          The version of pfSense and Snort that you are running are both ancient and Snort is probably trying to download a set of rules that are not compatible with that old of version of Snort. This is my guess. Really need @bmeeks, the maintainer of the Snort package, to chime in here. I don't know if they maintain Snort rules sets for the old versions of Snort but most likely don't.

          You really need to update your pfSense to the latest version so you can run the latest version of Snort. Yes, I understand, that will most likely require newer hardware since i386 versions of pfSense are NO longer supported.

          @bmeeks will be the one that can best answer your question.

          N 1 Reply Last reply Reply Quote 0
          • N
            noexit @jdeloach
            last edited by

            @jdeloach Your last comment there about i386 versions of pfSense not being supported probably explains why I'm not getting any further updates. Ahhh fun! Well, I think I've got another PC around here that'll take 64. That said, without being too much of a tangent, does anyone know if there's a RaspberryPi or equivalent "Low Power" appliance that I can run pfSense on?

            S 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              The Snort team periodically deprecates older Snort version rules. You can visit the Snort.org site to see which rules are current for the 2.9.x branch of Snort.

              1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @noexit
                last edited by

                @noexit said in Beginning to Snort:

                RaspberryPi or equivalent "Low Power" appliance

                Netgate has ARM appliances using pfSense Plus. Otherwise the open source pfSense is available on AMD64.

                Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
                When upgrading, let it finish. Allow 10-15 minutes, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post