New snort issues - no emerging threats download



  • Updated snort today to v2.2.3, but a new issue came up: No emerging threats are downloaded. Therefore snort refuses to start.

    local/etc/snort/snort_16197_pppoe0/rules/emerging-activex.rules": No such file or directory.
    Jul  7 09:02:52 pf snort[59551]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_16197_pppoe0//usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-activex.rules": No such file or directory.
    Jul  7 09:02:52 pf SnortStartup[59843]: Interface Rule START for 0_16197_pppoe0…



  • Did you reload the rules (Services: Snort: Updates: Update Rules)?



  • … after updating to v2.2.3 my emerging threats rules are gone as well.



  • +1



  • @Fesoj:

    … after updating to v2.2.3 my emerging threats rules are gone as well.

    +1 same issue here.  Seems snort is becoming quite a train wreck.  can't recall when it last functioned reliably.



  • I also started having problems with Emerging Threats rules not downloading with the latest version of Snort that was posted yesterday afternoon.  After a bit of digging around in the PHP files, I found the problem.  The issue exists in four places; two occurrences in two files.

    Here is the offending line of code from /usr/local/pkg/snort/snort_check_for_rule_updates.php.  This is on Line 132:

    $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz.md5');
    

    The problem is single quotes were used to delimit the URL string instead of double quotes.  The corrected Line 132 is shown below:

    $image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz.md5");
    

    The same problem is repeated a bit further down in the same file at Line 269 as shown below:

    download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}");
    

    The first string in that line (the URL) should be delimited with double quotes instead of single quotes.  The corrected Line 269 is shown below.

    download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}");
    

    These same two typos are present on Line 184 and Line 328 in the file /usr/local/www/snort/snort_download_rules.php.  Making the corrections above in both files fixed the Emerging Threats problem for me.



  • I can confirm that it was a string interpolation problem.

    When blocking is enabled, the associated interface crashes with the following system log entry:

    snort[60245]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device



  • Thanks to bmeeks for the suggested fix.  It resolved my issue too where emerging threats rules failed to update with the latest build of snort.  At this point, I'm afraid to ever update again  :-\



  • @Fesoj:

    When blocking is enabled, the associated interface crashes with the following system log entry:

    snort[60245]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device

    I seem to receive the same error, but infrequently.  Snort crashes and stops on the error.  It does not happen for me on all blocks.  I have a number of rules that alert and block just fine.  However, apparently there is some rule that is triggered now and then that causes the crash.  I have not tried to identify it yet.



  • 2.2.4 version corrects upgrade and cleans it up to be more easy to manage.
    Please open a different thread for the ioctl.


Locked