I'm having problems downloading Snort AppID Open Text Rules
-
Hi, I have Snort set to check for rules updates every 24 hours.
The AppID Open Text Rules are failing to download. The log shows an 'SSL certificate problem'. Is anyone else getting this? I'm getting it on two different pfSense machines. The first is a NetGate SG-5100. The second is a Hyper-V VM. My other rulesets are downloading successfully.
Downloading Snort AppID Open Text Rules md5 file appid_rules.tar.gz.md5... Snort AppID Open Text Rules md5 download failed. Server returned error code 0. Server error message was: SSL certificate problem: certificate has expired Snort AppID Open Text Rules will not be updated.
-
That rules file is hosted by Netgate on their own infrastructure. Perhaps the SSL cert on their web server has expired ???
I'll ping @stephenw10 by mentioning him in this thread. Perhaps he can have a look at the web server cert.
But just to be sure the problem is not on your end, have you verified the time and date are set correctly on both boxes? I would expect to see more posts about the problem if it was actually on the Netgate site.
-
@bmeeks Thanks for your reply. I checked time on both pfSense machines, and they are both correct.
-
@bfost said in I'm having problems downloading Snort AppID Open Text Rules:
@bmeeks Thanks for your reply. I checked time on both pfSense machines, and they are both correct.
In that case we will have to wait for @stephenw10 to chime in on this thread.
However, those rules have not been actually updated in quite some time, so there is no downside for now of the download failing unless you are performing a greenfield install or reinstalling the Snort package.
-
I noticed this problem some time ago as well. This ruleset wasn't updating. For curiosity, I uninstalled and reinstalled Snort to see what would happen. The ruleset installed, but it hasn't updated since. Is this because the ruleset isn't being updated or because of some other problem?
-
@bimmerdriver said in I'm having problems downloading Snort AppID Open Text Rules:
I noticed this problem some time ago as well. This ruleset wasn't updating. For curiosity, I uninstalled and reinstalled Snort to see what would happen. The ruleset installed, but it hasn't updated since. Is this because the ruleset isn't being updated or because of some other problem?
That ruleset is not being updated, and it has not been updated for a few years. There are no plans to update it either, that I am aware of.
It was created by a team of students and their professor at a University in Brazil and contributed to the pfSense Snort community. For a time they hosted the rules package on the university's server and kept it updated. But due to geoip blocking on the university's network, a number of pfSense users in other countries could not download the contributed rules. So, Netgate agreed to host the rules archive package on one of their servers. But Netgate did NOT agree to update the rules -- only to host the archive as it was uploaded by the Brazilian university team. After a period of time the student team in Brazil stopped updating those rules, so they are now quite out of date. But the archive still exists on Netgate's server. It's frozen at the last version that the Brazil team uploaded quite some time ago.
The package can still be valuable as a "starter set of rules" for you to update as necessary.
-
I am really into open app rules they have a way to link the database into rules I wrote a Java program to convert the whole list. So I took the Snort database and created Text rules based on what Snort has listed with the program it’s a monster list but it works. It takes a long time to fine tune what you way approved, look me like a year to suppress specific text rules after I did it. But now everyone in our home is happy and weird stuff we don’t use sometimes shows up and is blocked out. Snort @bmeeks is amazing. Best ips ids tool. I purchased the subscription rules too.
https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes