Snort 2.9.7.0 pkg v3.2.2 2.1.5-RELEASE (amd64) Snort VRT Rules Error 505



  • Hi Guys

    I´m facing some errors with my brand new install of pfSense - as it show in logs

    Version 	2.1.5-RELEASE (amd64)
    built on Mon Aug 25 07:44:45 EDT 2014
    FreeBSD pfSense.polijarra 8.3-RELEASE-p16 FreeBSD 8.3-RELEASE-p16 #0: Mon Aug 25 08:27:11 EDT 2014 root@pf2_1_1_amd64.pfsense.org:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64
    
    You are on the latest version.
    Platform 	pfSense
    CPU Type 	Intel(R) Xeon(R) CPU 3050 @ 2.13GHz
    2 CPUs: 1 package(s) x 2 core(s)
    

    Snort fails to download data version 2.9.7.0 pkg v3.2.2

    
    Starting rules update...  Time: 2015-01-17 18:26:49
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2970.tar.gz.md5...
    	Snort VRT rules md5 download failed.
    	Server returned error code 505.
    	Server error message was: 505 HTTP Version Not Supported
    	Snort VRT rules will not be updated.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading rules file.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	There is a new set of Emerging Threats Open rules posted.
    	Downloading file 'emerging.rules.tar.gz'...
    	Done downloading rules file.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Extracting and installing Emerging Threats Open rules...
    	Installation of Emerging Threats Open rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    The Rules update has finished.  Time: 2015-01-17 18:27:10
    
    


  • Hopefully that was just a temporary glitch on the Snort VRT web site.  Try again by going to the UPDATES tab in Snort and clicking the UPDATE button.  If the problem persists, post back here.

    Bill



  • Hi

    I am also having this problem on 2.2 RELEASE. I tried to use "the force"  ;D but then the md5 cannot even download. I have created a new key to no avail. Anything on this? A link to a clue perhaps?

    This did not happen for me https://forum.pfsense.org/index.php?topic=79578.0 It seems strange to me that HTTP is being invoked as opposed to HTTPS. Timbuktu client has a similar issue https://www.snort.org/rule_docs/505 TIA

    /M



  • I just checked my logs for today and I had no errors auto-downloading an update at 1:30 PM US Eastern Time today.  Here is the log extract –

    
    Starting rules update...  Time: 2015-03-12 13:30:00
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2970.tar.gz.md5...
    	Checking Snort VRT rules md5 file...
    	There is a new set of Snort VRT rules posted.
    	Downloading file 'snortrules-snapshot-2970.tar.gz'...
    	Done downloading rules file.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	Emerging Threats Open rules are up to date.
    	Extracting and installing Snort VRT rules...
    	Using Snort VRT precompiled SO rules for FreeBSD-10-0 ...
    	Installation of Snort VRT rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    	Updating rules configuration for: DMZ ...
    	Updating rules configuration for: LAN ...
    	Restarting Snort to activate the new set of rules...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2015-03-12 13:31:12
    
    

    Are you still having an issue?  Can you download rules manually via web browser using your Oinkcode?  That will tell you if your code is working correctly.

    Bill



  • Hi Bill

    Thanks for responding. The auto download came through after I left yesterday @Thursday, 12-Mar-15 16:51:43 CDT. I have the auto set for 00:47 changed from default. It seems a long to time to glitch though? >36hours? It was a new install so I thought there was more to it than that. Lesson: be patient it is not always available. I needed remediation on a HIPAA/HITECH issue, we'll make the deadline  ;D

    The tip about the oink-code is now in my notes. I appreciate how much time you spend here. Thanks again  :)

    /M



  • I used to see frequent failures when I had my auto-updates happening around midnight.  Finally moved them to about an hour and a half later.  They now occur at 1:30 AM and 1:30 PM Eastern each day.  Since doing that, I don't recall a failure in quite a long time.  I think the VRT guys may have some server work or other tasks that happen around midnight Eastern Time.  Avoiding that window seems to have helped me.

    Bill


  • Moderator

    @bmeeks:

    I used to see frequent failures when I had my auto-updates happening around midnight.  Finally moved them to about an hour and a half later.  They now occur at 1:30 AM and 1:30 PM Eastern each day.  Since doing that, I don't recall a failure in quite a long time.  I think the VRT guys may have some server work or other tasks that happen around midnight Eastern Time.  Avoiding that window seems to have helped me.

    Bill

    +1

    I also avoid Midnight to 1AM for the same reason… Maybe their servers are getting hit by everyone at the same time?



  • Hi there,

    not everybody switched to the new version 2.2.3. In that pfsense-release the download of the VRT-rules via snort might work, but under the pfsense-version 2.1.5 the url of snort changed. I guess the developer of pfsense are supporting this version anymore. Therefor the change of the url will not be brought up in an update. That is really sad to say.

    Therefor is might be very helpfull for those users, using the 2.1.5pfsense, if one of the developer just post in which file what must be changed fpr getting the upates back.

    Please give this hint.

    It should be the variable "VRT_DNLD_URL" (snort_defs.inc or snort.inc or snort_check_for_rule_updates.php) which must to be changed. But what ist the new url?

    thnx a lot.
    ;)



  • @foresthus:

    Hi there,

    Please give this hint.

    It should be the variable "VRT_DNLD_URL" (snort_defs.inc or snort.inc or snort_check_for_rule_updates.php) which must to be changed. But what ist the new url?

    thnx a lot.
    ;)

    The Snort VRT has removed the rules tarball for Snort versions older than 2.9.7.2, so there is no URL to give you for the 2.9.7.0 version.  With Snort, the version of the binary and the version of the rules tarball must match.  A check is done by the binary to be sure they match up.  This is not a pfSense problem, but is a decision of the Snort team.

    You need to upgrade your pfSense to a 2.2.x version and then update Snort to version 2.9.7.3.  By the way, version 2.9.7.5 of Snort was just released.  I will be submitting an update for the pfSense package in the near future.

    Bill