Automated Snort rules update failing

Cannondale

Running pfSense v2.6.0 and Snort v4.1.6

I have Snort configured to check for rule updates daily at 9:00. I have noticed that the automated rule updates are failing consistently. However, manual rule updates work fine.
Is this a common issue?
Snort log below.

Starting rules update...  Time: 2023-04-09 09:00:18
	Downloading Snort Subscriber rules md5 file snortrules-snapshot-29200.tar.gz.md5...
	Snort Subscriber rules md5 download failed.
	Server returned error code 503.
	Server error message was: 503 Service Unavailable
	Snort Subscriber rules will not be updated.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Snort OpenAppID detectors md5 download failed.
	Server returned error code 503.
	Server error message was: 503 Service Unavailable
	Snort OpenAppID detectors will not be updated.
	Downloading Snort AppID Open Text Rules md5 file appid_rules.tar.gz.md5...
	Checking Snort AppID Open Text Rules md5 file...
	Snort AppID Open Text Rules are up to date.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Snort GPLv2 Community Rules md5 download failed.
	Server returned error code 503.
	Server error message was: 503 Service Unavailable
	Snort GPLv2 Community Rules will not be updated.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	There is a new set of Emerging Threats Open rules posted.

bmeeks

I would try moving the update time a bit. Here is what HTTP error 503 means:

The HyperText Transfer Protocol (HTTP) 503 Service Unavailable server error response code indicates that the server is not ready to handle the request. Common causes are a server that is down for maintenance or that is overloaded.

Try sliding the update time to 9:05 maybe, or even an hour earlier or later and see if that helps.

Cannondale

Thanks for the suggestion bmeeks! I'll give it a try and post the results here.

Cannondale

Just to close the loop, adjusting the download time appears to have corrected the issue.

bmeeks

@cannondale said in Automated Snort rules update failing:

Just to close the loop, adjusting the download time appears to have corrected the issue.

Thanks for the feedback. The Snort team host their rules package on Amazon Web Services infrastructure. The rules download URL will automatically redirect to an AWS site. Sometimes the site can become overloaded, or you may happen to hit it at the instant the Snort servers are being updated with new files.

A few years back I modified the automatic rules update task in Snort to choose a random number of seconds past the hour and minute chosen by the user as the start time. That was at the request of the Snort team in an attempt to help spread out load. There are thousands and thousands of pfSense Snort users out there, and originally most of them were hitting the rules server at the same time and clogging it up. Spreading out the rules update start times by randomizing them a bit helped, but may not have completely avoided the issue.

Cannondale

Thanks for the additional information bmeeks! I did check the documentation on Rules Update Settings and didn't see anything about altering the time if scheduled rule updates fail.
It's documented here now so hopefully it will help others.