Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New snort issues - no emerging threats download

    Scheduled Pinned Locked Moved pfSense Packages
    10 Posts 6 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • _
      _igor_
      last edited by

      Updated snort today to v2.2.3, but a new issue came up: No emerging threats are downloaded. Therefore snort refuses to start.

      local/etc/snort/snort_16197_pppoe0/rules/emerging-activex.rules": No such file or directory.
      Jul  7 09:02:52 pf snort[59551]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_16197_pppoe0//usr/local/etc/snort/snort_16197_pppoe0/rules/emerging-activex.rules": No such file or directory.
      Jul  7 09:02:52 pf SnortStartup[59843]: Interface Rule START for 0_16197_pppoe0…

      1 Reply Last reply Reply Quote 0
      • F
        Fesoj
        last edited by

        Did you reload the rules (Services: Snort: Updates: Update Rules)?

        1 Reply Last reply Reply Quote 0
        • F
          Fesoj
          last edited by

          … after updating to v2.2.3 my emerging threats rules are gone as well.

          1 Reply Last reply Reply Quote 0
          • W
            wayner
            last edited by

            +1

            1 Reply Last reply Reply Quote 0
            • M
              miles267
              last edited by

              @Fesoj:

              … after updating to v2.2.3 my emerging threats rules are gone as well.

              +1 same issue here.  Seems snort is becoming quite a train wreck.  can't recall when it last functioned reliably.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                I also started having problems with Emerging Threats rules not downloading with the latest version of Snort that was posted yesterday afternoon.  After a bit of digging around in the PHP files, I found the problem.  The issue exists in four places; two occurrences in two files.

                Here is the offending line of code from /usr/local/pkg/snort/snort_check_for_rule_updates.php.  This is on Line 132:

                $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz.md5');
                

                The problem is single quotes were used to delimit the URL string instead of double quotes.  The corrected Line 132 is shown below:

                $image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz.md5");
                

                The same problem is repeated a bit further down in the same file at Line 269 as shown below:

                download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}");
                

                The first string in that line (the URL) should be delimited with double quotes instead of single quotes.  The corrected Line 269 is shown below.

                download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}");
                

                These same two typos are present on Line 184 and Line 328 in the file /usr/local/www/snort/snort_download_rules.php.  Making the corrections above in both files fixed the Emerging Threats problem for me.

                1 Reply Last reply Reply Quote 0
                • F
                  Fesoj
                  last edited by

                  I can confirm that it was a string interpolation problem.

                  When blocking is enabled, the associated interface crashes with the following system log entry:

                  snort[60245]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device

                  1 Reply Last reply Reply Quote 0
                  • M
                    miles267
                    last edited by

                    Thanks to bmeeks for the suggested fix.  It resolved my issue too where emerging threats rules failed to update with the latest build of snort.  At this point, I'm afraid to ever update again  :-\

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      @Fesoj:

                      When blocking is enabled, the associated interface crashes with the following system log entry:

                      snort[60245]: FATAL ERROR: s2c_pf_block() => ioctl() DIOCRADDADDRS: Inappropriate ioctl for device

                      I seem to receive the same error, but infrequently.  Snort crashes and stops on the error.  It does not happen for me on all blocks.  I have a number of rules that alert and block just fine.  However, apparently there is some rule that is triggered now and then that causes the crash.  I have not tried to identify it yet.

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri--
                        last edited by

                        2.2.4 version corrects upgrade and cleans it up to be more easy to manage.
                        Please open a different thread for the ioctl.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.