Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort signatures update issue?

    pfSense Packages
    16
    22
    11619
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xankra last edited by

      Hi… this is my first post in the forums. I've been using pfSense for over a year and a half by now, and I'm more than pleased with it's performance. Recently I installed snort, and tried to update the attacks signatures, when I came with the following strange issue. The thing is the update never seems to finish, it stays checking the md5 signature. Afterwards, when I retry I get the following message:

      "Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 You last updated the ruleset: 2008-04-02

      Your snort rulesets are up to date."

      I looked into the snort_download_rules.php file, and the 98th line has:

      $text = file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");

      Basically, what I'm wondering is if the update was succesful or not  ???

      Any hints will be appreciated. Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • M
        mevans336 last edited by

        I am also getting this error all of a sudden today.

        Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
        You last updated the ruleset: 2008-04-02
        Your snort rulesets are up to date.

        It also looks like it borks snort. I can't get both process to run now.

        $ ps aux | grep snort
        root  82228  0.0  0.0  1292  908  ??  Is    1:56PM  0:00.00 snort2c -w /var/

        Hrm, I was able to get Snort to run by changing the startup mode to mwm from lowmem. Strange.

        1 Reply Last reply Reply Quote 0
        • X
          xankra last edited by

          I can say that snort is working. I enabled the nmap xmas filter, and asked a friend to nmap my WAN ip address, and got him in the snort logs:

          [ ** ] [ 1:1228:8 ] SCAN nmap XMAS [ ** ] 
          [ Classification: Attempted Information Leak ] [ Priority: 2 ] 
          04/02-23:40:19.256674 A.B.C.D:60949 -> A.B.C.D:237
          TCP TTL:39 TOS:0x0 ID:10828 IpLen:20 DgmLen:40
          U*PF Seq: 0x781204E9 Ack: 0x0 Win: 0x1000 TcpLen: 20 UrgPtr: 0x0
          [ Xref => http://www.whitehats.com/info/IDS30 ]

          I have snort running, not snort2c:

          ps aux | grep snort

          root  64949  0.0 24.8 66776 30332  ??  Ss  10:00AM  1:58.47 snort -c /usr/local/etc/snort/snort.conf -l /var/log/

          And in the status->services page, snort shows as up and running (lowmem mode). Still I wonder if I have updated the signatures or not, but well. It works.

          1 Reply Last reply Reply Quote 0
          • M
            mevans336 last edited by

            Mine is also working now, as I'm getting lots of SQL scans. When I switched to mwm, I was able to get both processes back:

            $ ps aux | grep snort
            root  11135  0.0  3.4 111568 107884  ??  Ss    3:20PM  0:20.26 snort -c /usr/lo
            root  11138  0.0  0.0  1292  940  ??  Is    3:20PM  0:00.01 snort2c -w /var/

            Hopefully this is just a temporary issue. Is there any way to tell what ruleset we're using?

            1 Reply Last reply Reply Quote 0
            • A
              akong last edited by

              I have got the same problem.
              Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
              How to fix it?

              1 Reply Last reply Reply Quote 0
              • L
                librarymark last edited by

                I've got the same thing :(

                I'm running 1.2. It just started this week. At least that is the first time I noticed it.

                1 Reply Last reply Reply Quote 0
                • G
                  g00rkha75 last edited by

                  Dear all,

                  I changed the performance to mwm, ran: ps aux | grep snort.  I got only one process of snort running:

                  ps aux | grep snort

                  root  22778  0.0  0.1  1292  908  ??  Is    9:06AM  0:00.00 snort2c -w /var/
                  root  25496  0.0  0.1  1552  656  p0  R+    9:14AM  0:00.00 grep snort

                  Then I did ssh to the box and ran snort manually like this:

                  snort -c /usr/local/etc/snort/snort.conf -l /var/log/

                  I got the following:
                  …...........
                  ..............
                  +++++++++++++++++++++++++++++++++++++++++++++++++++
                  Initializing rule chains...
                  ERROR: /usr/local/etc/snort/rules/ddos.rules(25) => Invalid port: [31335,35555]
                  Fatal Error, Quitting..

                  After I edited by disabling the problematic ddos.rules(25) using web console then run the following command:

                  snort -c /usr/local/etc/snort/snort.conf -l /var/log/

                  Then I ran ps aux | grep snort again:
                  Now I got both of snort processes running

                  ps aux | grep snort

                  root  29629  0.0  0.1  1292  908  ??  Is    9:26AM  0:00.00 snort2c -w /var/
                  root  29786  0.0 14.5 151584 147892  p0  S    9:27AM  0:04.94 snort -c /usr/lo

                  I ran nmap using -sS switch but I did not get any alerts.  Moreover, everything I want to update the snort I got this error:
                  Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
                  You last updated the ruleset: 2008-04-13
                  Your snort rulesets are up to date.

                  I have two questions

                  1. Does the snort in pfsense have to be started manually from the console?  Or perhaps, I missed something.
                  2. Is the error regarding the update rule normal means we can ignore it?

                  Thanks, any response will be much appreciated.

                  1 Reply Last reply Reply Quote 0
                  • G
                    g00rkha75 last edited by

                    I think I got it solved by restarting the machine, after reboot the snort runs good.
                    Just wondering if there's another way than reboot to solve this.

                    1 Reply Last reply Reply Quote 0
                    • J
                      Juve last edited by

                      I've got the same same error on the update tab and the ddos rules. Fresh 1.2 install.

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich last edited by

                        Looks like they changed the download location?

                        What is the new location if you visit their website?  They used to tell the location.

                        1 Reply Last reply Reply Quote 0
                        • J
                          Juve last edited by

                          http://www.snort.org/pub-bin/oinkmaster.cgi/[OINKCODE]/filename

                          The rules still downloads. The thing not working is the page giving updates information.

                          1 Reply Last reply Reply Quote 0
                          • D
                            dalybrian last edited by

                            Snort still not working properly after update.

                            " Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 ".

                            Any further ideas on how to fix this?

                            1 Reply Last reply Reply Quote 0
                            • R
                              rt_rex last edited by

                              New Version available
                              Current: 2.7.0.1_4

                              1 Reply Last reply Reply Quote 0
                              • ?
                                Guest last edited by

                                wierd..still see this when i reinstall snort

                                snort-2.7.0.1_1 100%

                                however i do see the 1_4 version when se what package that are installed

                                is this correct?
                                /F

                                1 Reply Last reply Reply Quote 0
                                • D
                                  dalybrian last edited by

                                  Re-installed SNORT ( currently 2.7.0.1_4 ) & changed the code on line 98 ( to http://www.snort.org/pub-bin/oinkmaster.cgi from http://www.snort.org/pub-bin/download.cgi ) and currently getting:

                                  " Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 "

                                  I even got a new Oink Code & still getting the same Error. Is there any information on the SNORT website on this issue?

                                  1 Reply Last reply Reply Quote 0
                                  • X
                                    xdsl last edited by

                                    After install snort, im try to update snort. (which cannot enter the rules; need to update first).

                                    but it keep downloading till more than an hour. i already try for 2nd time.

                                    any clue? Thanks in advance

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kerim last edited by

                                      Same goes to me. after i update snort package, i try to update snort rules, waiting for about 20 minutes+- to finished,then this message came out:

                                      Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 You last updated the ruleset: 2008-04-29

                                      Your snort rulesets are up to date.

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        rbustos last edited by

                                        Ok,,

                                        This is not a snort or pfsense problem. This is a PHP issue, exactly with file_get_contents function, line 98 in /usr/local/www/snort_download_rules.php
                                          –>  $text = file_get_contents("$URL_SNORT");

                                        I trying with a temporally "solution" using curl instead file_get_contents.

                                        I have this on my script:

                                        from /usr/local/www/snort_download_rules.php:

                                                       sleep(1);
                                                        $URL_SNORT="http://www.snort.org/pub-bin/downloads.cgi";
                                        
                                                        $ch = curl_init();
                                                        curl_setopt($ch, CURLOPT_HEADER, 0);
                                                        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                                                        curl_setopt($ch, CURLOPT_URL, $URL_SNORT);
                                                        $text = curl_exec($ch);
                                        
                                                        //$text = file_get_contents("$URL_SNORT",NULL);
                                                        echo "
                                        
                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          mevans336 last edited by

                                          Any update on this issue?

                                          1 Reply Last reply Reply Quote 0
                                          • F
                                            f.spierings last edited by

                                            The issue lies in the fact that file_get_contents() does not send a user agent (or empty string), in this case.
                                            I believe you are able to set the user agent in two ways:

                                            • Specify the user agent in the php.ini (not checked)
                                            • Specify the user agent in the script (checked - working)

                                            An example would be (around line 98 /usr/local/www/snort_download_rules.php):

                                            ini_set('user_agent','snort download script');
                                            $text=file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");

                                            1 Reply Last reply Reply Quote 0
                                            • N
                                              newfirewallman last edited by

                                              So can i get a confirmation on what is working of the scripts, or reinstallation? I have 1.2 Release with Snort installed a week ago.

                                              1 Reply Last reply Reply Quote 0
                                              • B
                                                brookenmire last edited by

                                                I have tried both fixes (curl and ini_set - seperatley) but finding that it takes forever to download the rules files no matter what I use.
                                                If I download the exact same URL that /usr/local/www/snort_download_rules.php is using at the same time but on a desktop that is on the LAN net behind pfSense, it downloads in a couple of minutes. (no caches involved)

                                                Multiple attempts on the pfSense box return the same results.
                                                Traffic shaper is turned off and pfSense is 1.2 prod.

                                                ls on the temp dir (eg /tmp/snortRulesJ0rIr3/) show it downloading, but very slow ..
                                                -rw-r–r--  1 root  wheel  167363 Jun 14 20:02 snortrules-snapshot-CURRENT.tar.gz
                                                -rw-r--r--  1 root  wheel  6637801 Jun 14 20:26 snortrules-snapshot-CURRENT.tar.gz

                                                Once done, the rules file is a complete file, but Snort downloading seems to hang and does not download the md5 hash.

                                                Is there any other additional hacking needs to be done to the snort_download_rules.php file to allow it to progress ?
                                                Does anybody have the above fixes to consistently work ?

                                                Thanks.

                                                1 Reply Last reply Reply Quote 0
                                                • First post
                                                  Last post

                                                Products

                                                • Platform Overview
                                                • TNSR
                                                • pfSense
                                                • Appliances

                                                Services

                                                • Training
                                                • Professional Services

                                                Support

                                                • Subscription Plans
                                                • Contact Support
                                                • Product Lifecycle
                                                • Documentation

                                                News

                                                • Media Coverage
                                                • Press
                                                • Events

                                                Resources

                                                • Blog
                                                • FAQ
                                                • Find a Partner
                                                • Resource Library
                                                • Security Information

                                                Company

                                                • About Us
                                                • Careers
                                                • Partners
                                                • Contact Us
                                                • Legal
                                                Our Mission

                                                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                Subscribe to our Newsletter

                                                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                © 2021 Rubicon Communications, LLC | Privacy Policy