snort install - rules md5 checksum failed
-
Tried installing Snort. The rules would not update. Reinstalled Snort. MD5 checksums are failing.
Pfsense 2.6.0 in an HA failover
>>> Installing pfSense-pkg-snort... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking integrity... done (0 conflicting) The following 5 package(s) will be affected (of 0 checked): New packages to be INSTALLED: daq: 2.2.2_3 [pfSense] libdnet: 1.13_3 [pfSense] libpcap: 1.10.1_2 [pfSense] pfSense-pkg-snort: 4.1.6 [pfSense] snort: 2.9.20 [pfSense] Number of packages to be installed: 5 The process will require 10 MiB more space. [1/5] Installing libdnet-1.13_3... [1/5] Extracting libdnet-1.13_3: .......... done [2/5] Installing libpcap-1.10.1_2... [2/5] Extracting libpcap-1.10.1_2: .......... done [3/5] Installing daq-2.2.2_3... [3/5] Extracting daq-2.2.2_3: .......... done [4/5] Installing snort-2.9.20... [4/5] Extracting snort-2.9.20: .......... done [5/5] Installing pfSense-pkg-snort-4.1.6... [5/5] Extracting pfSense-pkg-snort-4.1.6: .......... done Saving updated package information... done. Loading package configuration... done. Configuring package components... Loading package instructions... Custom commands... Executing custom_php_install_command()...Saved settings detected. Migrating settings to new configuration... done. Downloading configured rule sets. This may take some time... Downloading Snort Subscriber rules md5 file... done. Checking Snort Subscriber rules md5 file... done. There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29200.tar.gz... done. Snort Subscriber rules file MD5 checksum failed... Downloading Snort OpenAppID detectors md5 file... FAILED! Snort OpenAppID detectors md5 error ... Server returned error code ... Snort OpenAppID detectors will not be updated. Server returned error code . Downloading Snort AppID Open Text Rules md5 file... FAILED! Snort AppID Open Text Rules md5 error ... Server returned error code ... Snort AppID Open Text Rules will not be updated. Server returned error code . Downloading Snort GPLv2 Community Rules md5 file... FAILED! Snort GPLv2 Community Rules md5 error ... Server returned error code ... Snort GPLv2 Community Rules will not be updated. Server returned error code . Downloading Emerging Threats Open rules md5 file... FAILED! Emerging Threats Open rules md5 error ... Server returned error code ... Emerging Threats Open rules will not be updated. Server returned error code . Downloading Feodo Tracker Botnet C2 IP rules file...Feodo Tracker Botnet C2 IP rules file download failed! Cleaning up temp dirs and files... done. The Rules update has finished. Finished downloading and installing configured rules. Generating snort.conf configuration file from saved settings. Generating configuration for WAN... done. Generating snort.sh script in /usr/local/etc/rc.d/... done. Finished rebuilding Snort configuration files. done. Executing custom_php_resync_config_command()... done. Menu items... done. Services... done. Writing configuration... done. Please visit Services - Snort - Interfaces tab first and select your desired rules. Afterwards visit the Updates tab to download your configured rulesets.===== Message from snort-2.9.20: -- Snort uses rcNG startup script and must be enabled via /etc/rc.conf Please see /usr/local/etc/rc.d/snort for list of available variables and their description. Configuration files are located in /usr/local/etc/snort directory. Please note that, by default, snort will truncate packets larger than the default snaplen of 15158 bytes. Additionally, LRO may cause issues with Stream5 target-based reassembly. It is recommended to disable LRO, if your card supports it. This can be done by appending '-lro' to your ifconfig_ line in rc.conf. ===== Message from pfSense-pkg-snort-4.1.6: -- Please visit Services - Snort - Interfaces tab first to add an interface, then select your desired rules packages at the Services - Snort - Global tab. Afterwards visit the Updates tab to download your configured rulesets. >>> Cleaning up cache... done. Success -
Are you using a RAM disk? If so, you must have at least 256 MB of free space on the
/tmpdisk partition (and preferably more than that) for the rule downloads and unpacking to succeed. The MD5 checksum error is a possible symptom of running out of disk space.You can't tell that an out-of-disk-space error happened unless you look in the system log around the time of the rules update or package installation. That's because Snort cleans up behind itself and deletes the partial files from
/tmp.Since it appears all of your downloads failed to verify, running out of disk space is my first suspicion. Of course you may also have a problem where Snort is not able to connect to the AWS infrastructure where the rules archives actually reside. The snort.org download URLs will in reality redirect to AWS IP address space. Are you running anything that might be blocking access there?
-
@bmeeks Yes and that appeared to be the issue. I increased the size of /tmp on RAM disk and Snort installed successfully. Thank you!
-
@jonrusk said in snort install - rules md5 checksum failed:
@bmeeks Yes and that appeared to be the issue. I increased the size of /tmp on RAM disk and Snort installed successfully. Thank you!
Note that I don't recommend using RAM disks with either of the two IDS packages (Snort or Suricata). Most especially for
/varwhere the log files are written. And not having enough free space on/tmp, as you experienced, leads to problems as well. Those two packages were not created with RAM disk usage in mind. They really want a spinning disk (or conventional SSD) with a fair amount of space for logging.
