Snort VRT rule issues in Snort & Suricata – "Server returned error code 422."

doktornotor

@G.D.:

Snort free rules are not downloading since June 16th.

I just downloaded them 60 minutes ago.  MD5: 55718e94de95408ec54566dcb993c67c. You are downloading nonexistent snapshot.

G.D. Wusser Esq.

@doktornotor:

@G.D.:

Snort free rules are not downloading since June 16th.

I just downloaded them 60 minutes ago.  MD5: 55718e94de95408ec54566dcb993c67c. You are downloading nonexistent snapshot.

Thanks. What do I need to tweak to fix this?
pfSense 2.1.5-RELEASE (amd64)
Snort 2.9.7.0 pkg v3.2.3

doktornotor

@G.D.:

Thanks. What do I need to tweak to fix this?
pfSense 2.1.5-RELEASE (amd64)
Snort 2.9.7.0 pkg v3.2.3

The current package version is 3.2.5 on 2.2.x and 2.9.7.2 pkg v3.2.4 on 2.1.x

G.D. Wusser Esq.

Upgraded to 2.9.7.2 and it seems to have fixed the issue.

Starting rules update...  Time: 2015-07-01 12:42:38
	Downloading Snort VRT rules md5 file snortrules-snapshot-2972.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2972.tar.gz'...
	Done downloading rules file.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	There is a new set of Emerging Threats Open rules posted.
	Downloading file 'emerging.rules.tar.gz'...
	Done downloading rules file.
	Extracting and installing Snort VRT rules...
	Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
	Installation of Snort VRT rules completed.
	Extracting and installing Emerging Threats Open rules...
	Installation of Emerging Threats Open rules completed.
	Copying new config and map files...
	Updating rules configuration for: WAN ...
	Updating rules configuration for: LAN ...
The Rules update has finished.  Time: 2015-07-01 12:46:15

So, what happened, they retired the 2.9.7.0 version? I hope 2.9.7.2 stays working, as this seems to be the last version for pfSense 2.1.5…

Thanks!

bmeeks

@G.D.:

Upgraded to 2.9.7.2 and it seems to have fixed the issue.

So, what happened, they retired the 2.9.7.0 version? I hope 2.9.7.2 stays working, as this seems to be the last version for pfSense 2.1.5…

Thanks!

Yes, the Snort Team has a life cycle program for each version of Snort, and the Snort rules packages are tied to specific versions of the Snort binary.  So 2.9.7.0 has gone EOL along with its rules tarball.  The current Snort version is 2.9.7.3.

Due to other life cycle issues with FreeBSD 8.3 (which is the code base for pfSense 2.1 and earlier), new packages no longer compile properly for pfSense 2.1.x.  So that's why Snort is frozen at 2.9.7.2 on pfSense 2.1.  You need to bite the bullet and upgrade to pfSense 2.2.x, otherwise Snort will eventually stop working on 2.1.x pfSense (because you won't be able to get new rules updates).

Bill

probie

How do you do a manual upgrade of the snort package?  I running pfs 2.1.5 and can't afford to upgrade beyond 2.1.5 because anything beyond 2.1.5 break squid proxy with traffic shapping limiter.

Please advise and thank you in advance.

bmeeks

Yes, the Snort VRT will periodically deprecate older rules packages.  Each version of Snort (and the associated rules tarball) have a life cycle of support.  At EOL (End of Life), they quit posting rules updates for the older versions of Snort.

You will need to move up to pfSense 2.2.x to keep using the Snort package.  I expect them to drop 2.9.7.2 rules support in the not too distant future.  You can visit the Snort web site and they post the EOL dates for each version someplace there.  Might have to search a bit to find it as it's not always easy to locate.

Bill

RonpfS

Still running  2.1.5-RELEASE (i386)
On Sep 09 I upgraded to Snort 2.9.7.2 pkg v2.9.7.2 pkg v3.2.5, VRT Rules never downloaded

Sep 13 04:17:01 	php: snort_check_for_rule_updates.php: [Snort] Server returned error code 422...
Sep 13 04:17:01 	php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules md5 download failed...

bmeeks

@RonpfS:

Still running  2.1.5-RELEASE (i386)
On Sep 09 I upgraded to Snort 2.9.7.2 pkg v2.9.7.2 pkg v3.2.5, VRT Rules never downloaded

Sep 13 04:17:01 	php: snort_check_for_rule_updates.php: [Snort] Server returned error code 422...
Sep 13 04:17:01 	php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules md5 download failed...

You must upgrade both pfSense and then the Snort package.  The Snort VRT has discontinued support of the older rules.  Each version of Snort has a life cycle, and at the end of the life cycle for a particular version they stop providing rules packages for that version.

Bill

doktornotor

Created a PR to get this removed from the 2.1.x packages feed, since the package is useless now.

https://github.com/pfsense/pfsense-packages/pull/1065