Snort GPLv2 community rules expected MD5 checksum blank.



  • I am having difficulties downloading the GPLv2 Community rules on Snort  2.9.4.6 pkg v. 2.5.9  running on pfSense 2.0.2.  I just installed the snort package and upon trying to download the community rules I first encounter the fact that if only the community rules are selected and I go to update it says I must select a set of rules.  If I select both the emerging threats and the community rules I get an error the community rules checksum failed and the following message in the log.  The emerging threats rules install fine.

    Downloading Snort GPLv2 Community Rules md5 file…
    Checking Snort GPLv2 Community Rules md5.
    There is a new set of Snort GPLv2 Community Rules posted. Downloading...
    Snort GPLv2 Community Rules file download failed.  Community Rules will not be updated.
    Downloaded Snort GPLv2 file MD5: 0cd176c56e9df4d4ed5780cf8a64c8ab
    Expected Snort GPLv2 file MD5:

    The Rules update has finished.  Time: 2013-08-22 18:40:37

    I have tried using the re-install option, also completely removing and then re-installing the package.  I have tried waiting several hours before updating again with no success.  I have a second pfSense firewall on 2.0.3 running the same Snort package version updating the rules fine, so it does not seem to be an issue with anything besides this particular firewall.  I have seen the walk through for installing the rules manually but it stated that was for the old version and was posted in 2009 I believe.

    Does anyone have any suggestions for me to get this working?



  • Is there a reason you cannot update the problem firewall to version 2.0.3?  There are some differences in the versions, and the last two Snort package updates have been aimed at 2.0.3 and higher.  It is very possible the latest Snort package is making a call to a pfSense core function that is maybe different in 2.0.3 as opposed to 2.0.2.

    Bill



  • @bmeeks:

    Is there a reason you cannot update the problem firewall to version 2.0.3?  There are some differences in the versions, and the last two Snort package updates have been aimed at 2.0.3 and higher.  It is very possible the latest Snort package is making a call to a pfSense core function that is maybe different in 2.0.3 as opposed to 2.0.2.

    Bill

    Thanks for the suggestion, I did not realize the latest package was intended for 2.0.3.  I will be trying this out as soon as possible and will report back.



  • @Fumbles:

    Thanks for the suggestion, I did not realize the latest package was intended for 2.0.3.  I will be trying this out as soon as possible and will report back.

    Oh…and one other thing I forgot to mention.  Make sure that for some reason Snort or something else has not blocked the Amazon S3 web services site the GPLv2 rules download from.  Have you verified that you can download the rules manually on the firewall using this URL?

    https://s3.amazonaws.com/snort-org/www/rules/community/

    Bill



  • Long delay in getting back, had to wait for approval to update the firewall.  After updating to pfSense 2.0.3 it is updating the community rules perfectly fine.



  • @Fumbles:

    Long delay in getting back, had to wait for approval to update the firewall.  After updating to pfSense 2.0.3 it is updating the community rules perfectly fine.

    Thanks for the feedback.

    Bill



  • I'm having the same issue here on a fresh install of pfSense 2.1-Release (amd64).  Reinstalled using the LiveCD earlier today.  Snort version is 2.9.4.6 pkg v. 2.6.0.

    Here is the update log:

    Starting rules update...  Time: 2013-10-22 01:35:38
    	Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
    	Checking Snort VRT md5 file...
    	Snort VRT rules are up to date.
    	Downloading Snort GPLv2 Community Rules md5 file 'community-rules.tar.gz.md5'...
    	Checking Snort GPLv2 Community Rules md5.
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Snort GPLv2 Community Rules file download failed.  Community Rules will not be updated.
    	Downloaded Snort GPLv2 file MD5: ab0cccfa35521644db9fcad742424748
    	Expected Snort GPLv2 file MD5: 
    
    	Downloading EmergingThreats md5 file 'emerging.rules.tar.gz.md5'...
    	Checking EmergingThreats md5.
    	Emerging Threats rules are up to date.
    The Rules update has finished.  Time: 2013-10-22 01:35:40
    

    Bill, I tried going to the s3.amazonaws.com link you posted earlier, and it reports the following:

     <error>`NoSuchKey`
    <message>The specified key does not exist.</message>
    <key>www/rules/community/</key>
    <requestid>D3BA1644E61E45D6</requestid>
     <hostid>5okCu9GW2t1rmGIBv3H2i83YqrBRmvTe+37Fq0cdJa9WJTvqjRC3YQmie8tL/pLL</hostid></error> 
    

    Any thoughts?

    Thanks so much in advance, and thank you for all you do contributing to this package.
    -Greg



  • @gregg1ep00:

    I'm having the same issue here on a fresh install of pfSense 2.1-Release (amd64).  Reinstalled using the LiveCD earlier today.  Snort version is 2.9.4.6 pkg v. 2.6.0.

    Any thoughts?

    Thanks so much in advance, and thank you for all you do contributing to this package.
    -Greg

    Let me take a look.  I don't use the Community Rules since I have a paid subscription.  I can check one of my test VMs to see what's going on.  Could be the URL changed or something.  I hope that's not it, though, because that is currently hard-coded in the PHP code.

    Bill



  • One of my test virtual machines I leave running all the time downloaded the latest Snort GPLv2 Community Rules just fine today.  Here is the log file entry from the update:

    Starting rules update...  Time: 2013-10-22 15:15:01
    	Downloading Snort VRT md5 file 'snortrules-snapshot-2955.tar.gz.md5'...
    	Checking Snort VRT md5 file...
    	There is a new set of Snort VRT rules posted.
    	Downloading file 'snortrules-snapshot-2955.tar.gz'...
    	Done downloading rules file.
    	Downloading Snort GPLv2 Community Rules md5 file 'community-rules.tar.gz.md5'...
    	Checking Snort GPLv2 Community Rules md5.
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading Snort GPLv2 Community Rules file.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Downloading Emerging Threats Pro md5 file 'etpro.rules.tar.gz.md5'...
    	Checking Emerging Threats Pro md5.
    	Emerging Threats Pro rules are up to date.
    	Extracting and installing Snort VRT rules...
    	Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
    	Installation of Snort VRT rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    	Updating rules configuration for: LAN ...
    	Restarting Snort to activate the new set of rules...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2013-10-22 15:15:59
    
    

    So it looks like things are OK, or at least they were at 15:15 U.S. Eastern Time today.

    INFO:  An astute review of the log file above will reveal this test VM downloaded the Snort 2.9.5.5 rules package.  That's because it is loaded with the newest Snort package version I have running on pfSense in test mode.  Hope to release this update to the public early in November.  It has lots of new capability in the preprocessors area plus a few cosmetic tweaks in the GUI.  It will be Snort 2.9.5.5 pkg v.3.0.0 when released.

    Bill



  • You're right, I just looked and it downloaded.  Must have been a hiccup.

    Thanks so much for the quick response.  Sorry it ended up being nothing (but then again, very glad it was nothing).  ;D



  • @gregg1ep00:

    You're right, I just looked and it downloaded.  Must have been a hiccup.

    Thanks so much for the quick response.  Sorry it ended up being nothing (but then again, very glad it was nothing).  ;D

    I tried to make the newest rules update code as robust as possible.  It will try 4 times, with a 15-second pause in between each try, before it gives up completely and bails on any given ruleset to move on to the next one.  The idea was to get past any temporary Internet glitches.  Of course if the site is unavailable for more than 60 seconds, those rules will not download until the next scheduled update.

    Bill


Log in to reply