Snort can't download Snort VRT Rules [solved]



  • Hello there!

    New to pfsense (just installed for the first time yesterday). So far it's running great.

    I've also installed Snort, and seem to have an issue downloading Snort VRT Rules. The following is the output of the log:

    Starting rules update…  Time: 2014-07-09 19:02:31
    Downloading Snort VRT rules md5 file snortrules-snapshot-2960.tar.gz.md5...
    Snort VRT rules md5 download failed.
    Server returned error code 422.
    Server error message was:
    Snort VRT rules will not be updated.

    I also noticed that Snort has gone through facelift today (July 9th) … according to their blog anyway. http://blog.snort.org/

    Is anyone else facing the same issue? I noticed some of their pages don't work too.

    Thanks!


  • Moderator

    Hello dmitripr,

    With Snorts re-organization, they moved some of the URLs around. I think they have since fixed this issue.

    But we might have to adjust the URL in the future as I am not sure how long the old URL will continue to be accessible.

    http://seclists.org/snort/2014/q3/121

    EDIT:

    If it is still failed, try a "FORCE" update



  • I checked this morning and it started working. Must have been a glitch due to their recent changes.

    Thanks!



  • @BBcan177:

    Hello dmitripr,

    With Snorts re-organization, they moved some of the URLs around. I think they have since fixed this issue.

    But we might have to adjust the URL in the future as I am not sure how long the old URL will continue to be accessible.

    http://seclists.org/snort/2014/q3/121

    EDIT:

    If it is still failed, try a "FORCE" update

    I will keep an eye on this and adjust the package URL as necessary.  Will be starting work on updating to 2.9.6.1 any day now.  I can include any URL changes in the new release.

    Bill



  • I was getting the same 422 error last night but this morning it was working for me as well. I assume they were just making some changes on their end.



  • Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem  :o

    Is there perhaps a way to manually set the new update URL somewhere?

    Thank you  :P



  • @Hollander:

    Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem  :o

    Is there perhaps a way to manually set the new update URL somewhere?

    Thank you  :P

    You can manually edit this file:  /usr/local/pkg/suricata/suricata.inc

    Look for this line near the top of the file:  define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');

    This is the filename it downloads.

    To change the URL, edit this file: /usr/local/www/suricata/suricata_check_for_rule_updates.php

    Look for this line near the top:  if (!defined("VRT_DNLD_URL"))
                                                      define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");

    This is the URL it downloads from.

    EDIT UPDATE
    Just took a look at the Snort.org web site and they have really changed things up since I last signed in.  Both Snort and Suricata will need a little tweaking to work going forward.  Looks like the snort_edge rules I was using for Suricata are completely gone now on the new site.  So the Suricata file will need to be edited as I indicated above and the filename changed.  I will work on a quick update and submit a Pull Request in the next few days.

    Bill



  • @bmeeks:

    @Hollander:

    Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem  :o

    Is there perhaps a way to manually set the new update URL somewhere?

    Thank you  :P

    You can manually edit this file:  /usr/local/pkg/suricata/suricata.inc

    Look for this line near the top of the file:  define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');

    This is the filename it downloads.

    To change the URL, edit this file: /usr/local/www/suricata/suricata_check_for_rule_updates.php

    Look for this line near the top:  if (!defined("VRT_DNLD_URL"))
                                                      define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");

    This is the URL it downloads from.

    EDIT UPDATE
    Just took a look at the Snort.org web site and they have really changed things up since I last signed in.  Both Snort and Suricata will need a little tweaking to work going forward.  Looks like the snort_edge rules I was using for Suricata are completely gone now on the new site.  So the Suricata file will need to be edited as I indicated above and the filename changed.  I will work on a quick update and submit a Pull Request in the next few days.

    Bill

    Thank you very much, Bill, I'll look forward to your update  ;D

    Bill, on another note, could I ask: did you happen to see what your fellow-hero Jflsakfja wrote in this thread:

    https://forum.pfsense.org/index.php?topic=78062.msg427132#msg427132

    Note to bmeeks: Pretty please bring back the old way of handling manually disabled rules. Manually disabling a rule from either the alerts tab or the rules page, should turn the rule into a manually disabled rule (pale yellow). Currently the rules page turns it into the rule's default state. This is NOT recommended when using this list. Having both setting to manually disabled, allows the list to be used as it was meant to be used. Enable all, then find the 10 that need to be disabled, disable them, and apply. Rinse, repeat

    This morning I started with disabling some Suricata rules, and then understood what Jfl meant; it appears something has changed ever since the old way of working, but it is indeed more cumbersome now; you have to click twice instead of once to disable a rule (and then wait until pfSense is ready again). And with so many rules to disable (Jfl's tutorial), that is not really very comfortable  :-[

    [/color]Could you be persuaded to switch it back to the old way of working?

    Thank you  ;D



  • @Hollander:

    @bmeeks:

    @Hollander:

    Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem  :o

    Is there perhaps a way to manually set the new update URL somewhere?

    Thank you  :P

    You can manually edit this file:  /usr/local/pkg/suricata/suricata.inc

    Look for this line near the top of the file:  define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');

    This is the filename it downloads.

    To change the URL, edit this file: /usr/local/www/suricata/suricata_check_for_rule_updates.php

    Look for this line near the top:  if (!defined("VRT_DNLD_URL"))
                                                      define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");

    This is the URL it downloads from.

    EDIT UPDATE
    Just took a look at the Snort.org web site and they have really changed things up since I last signed in.  Both Snort and Suricata will need a little tweaking to work going forward.  Looks like the snort_edge rules I was using for Suricata are completely gone now on the new site.  So the Suricata file will need to be edited as I indicated above and the filename changed.  I will work on a quick update and submit a Pull Request in the next few days.

    Bill

    Thank you very much, Bill, I'll look forward to your update  ;D

    Bill, on another note, could I ask: did you happen to see what your fellow-hero Jflsakfja wrote in this thread:

    https://forum.pfsense.org/index.php?topic=78062.msg427132#msg427132

    Note to bmeeks: Pretty please bring back the old way of handling manually disabled rules. Manually disabling a rule from either the alerts tab or the rules page, should turn the rule into a manually disabled rule (pale yellow). Currently the rules page turns it into the rule's default state. This is NOT recommended when using this list. Having both setting to manually disabled, allows the list to be used as it was meant to be used. Enable all, then find the 10 that need to be disabled, disable them, and apply. Rinse, repeat

    This morning I started with disabling some Suricata rules, and then understood what Jfl meant; it appears something has changed ever since the old way of working, but it is indeed more cumbersome now; you have to click twice instead of once to disable a rule (and then wait until pfSense is ready again). And with so many rules to disable (Jfl's tutorial), that is not really very comfortable  :-[

    [/color]Could you be persuaded to switch it back to the old way of working?

    Thank you  ;D

    Yes, I can see about bringing back the old behavior.  But I also want to at least include a mechanism for resetting any forced rules back to their default state with "no color".  So that probably means another icon on the page.  I will try out some ideas.

    Bill



  • @bmeeks:

    Yes, I can see about bringing back the old behavior.  But I also want to at least include a mechanism for resetting any forced rules back to their default state with "no color".  So that probably means another icon on the page.  I will try out some ideas.

    Bill

    Heros will remain Heros  ;D



  • Hi!
    I have been unable to download VRT-rules since July 10. I run three different machines, and one of them, with paid Subscriber rules, gets error code 422. The other two with free Registered User rules work fine.

    Jonna



  • @jonna99:

    Hi!
    I have been unable to download VRT-rules since July 10. I run three different machines, and one of them, with paid Subscriber rules, gets error code 422. The other two with free Registered User rules work fine.

    Jonna

    My paid VRT downloads still work.  Are you positive that your subscription is still current?  Just checking… ;).

    I had one failure of the paid VRT download during the window when the Snort group had web site issues, but since those were fixed several days ago I've not hand any other problems.

    Bill



  • Yes, thanks :-) it is paid for about another 6 months, so that shouldn´t be the problem. Tried un- and and reinstalling Snort-package, but no, doesn´t work.
    I read that there will be an upgrade to 2.9.6.1 soon so I guess I just have to wait and see if that will fix it.

    Jonna



  • @jonna99:

    Yes, thanks :-) it is paid for about another 6 months, so that shouldn´t be the problem. Tried un- and and reinstalling Snort-package, but no, doesn´t work.
    I read that there will be an upgrade to 2.9.6.1 soon so I guess I just have to wait and see if that will fix it.

    Jonna

    One other thing – try deleting and re-adding your Oink code on the paid rules box just in case it got corrupted.  And you do have two different Oink codes, I assume:  one for the paid subscription and another for the free registered user subscription.

    One other question -- are you using the current Snort 2.9.6.0 pkg v3.0.13 version?

    Bill



  • Yes, different Oink-codes. Works with free subscription but not with paid…I have sent a question to Snort.org but still haven´t got an answer. I guess it must have  to do with my subscription. We will see. And yes, 2.9.6.0 pkg v3.0.13 confirmed.
    Thanks for trying to help
    Jonna



  • @jonna99:

    Yes, different Oink-codes. Works with free subscription but not with paid…I have sent a question to Snort.org but still haven´t got an answer. I guess it must have  to do with my subscription. We will see. And yes, 2.9.6.0 pkg v3.0.13 confirmed.
    Thanks for trying to help
    Jonna

    OK.  I really wonder if it might be something weird with your code.  Mine works, and so far as I know, most everyone else's here on the Forum works now or I would expect a ton of posts.  Post back with any update.

    Bill



  • Yes there was a problem with the paid account. After resetting and getting a new oink-code it works again.
    Thanks again
    Jonna



  • Snort 2.9.6.2  pkg v3.1 is now available under package downloads

    after I updated snort my VRT Rules downloaded.



  • @propel:

    Snort 2.9.6.2  pkg v3.1 is now available under package downloads

    after I updated snort my VRT Rules downloaded.

    The new version addresses the URL change at snort.org and also the older rules went EOL yesterday.

    Bill



  • How do I get the new version?  The only package available to me is 2.9.6.0 pkg v3.0.13

    I don't seem to be able to use 2.9.6.3 via the gui.



  • @thewellington:

    How do I get the new version?  The only package available to me is 2.9.6.0 pkg v3.0.13

    I don't seem to be able to use 2.9.6.3 via the gui.

    This tells me you are probably running an older version of pfSense (like 2.0.x something).  Versions older than 2.1 are no longer supported as the underlying binary packages required for 2.0.x pfSense are no longer being built by the pfSense team.

    If this is the case for you, then you need to upgrade to at least pfSense 2.1 or higher to use the latest Snort package.

    Bill



  • Yeah…  except that I am running 2.1.4 :(

    This seems to be affecting both Netgate appliances I have... APU2 and a 7541

    Bill



  • @thewellington:

    Yeah…  except that I am running 2.1.4 :(

    This seems to be affecting both Netgate appliances I have... APU2 and a 7541

    Bill

    OK, the fact you have Netgate devices gives me a possible clue. I believe (but I don't know for sure) they may have a separate updates infrastructure for Netgate devices to maintain compatibility with their hardware.  If my guess is true, it may be their repository has not yet synchronized with the latest version.  If you have a support contract, give them this info and see if they can help.  If not, perhaps you can ping one of the pfSense developers who frequent this forum.

    Bill



  • Hi…
    I am also facing this problem, I am using :
    pfsense 2.0.1
    snort 2.9.6.2 pkg v3.1.4 (using the free oinkcode)

    the error log says :

    Starting rules update...  Time: 2014-11-10 10:33:28
    Downloading Snort VRT rules md5 file snortrules-snapshot-2923.tar.gz.md5...
    Snort VRT rules md5 download failed.
    Server returned error code 422.
    Server error message was:
    Snort VRT rules will not be updated.

    ...anyone know what the problem is?
    I also try to register different account for oinkcode.. but still shows error...
    thanks



  • @ypmict:

    Hi…
    I am also facing this problem, I am using :
    pfsense 2.0.1
    snort 2.9.6.2 pkg v3.1.4 (using the free oinkcode)

    the error log says :

    Starting rules update...  Time: 2014-11-10 10:33:28
    Downloading Snort VRT rules md5 file snortrules-snapshot-2923.tar.gz.md5...
    Snort VRT rules md5 download failed.
    Server returned error code 422.
    Server error message was:
    Snort VRT rules will not be updated.

    ...anyone know what the problem is?
    I also try to register different account for oinkcode.. but still shows error...
    thanks

    Snort is no longer supported on pfSense versions older than 2.1.  You say you are running 2.0.1, so Snort is now broken and unsupported on that version.  You should upgrade your pfSense to version 2.1.5.

    Bill


Log in to reply