Snort signatures update issue?

xankra

Hi… this is my first post in the forums. I've been using pfSense for over a year and a half by now, and I'm more than pleased with it's performance. Recently I installed snort, and tried to update the attacks signatures, when I came with the following strange issue. The thing is the update never seems to finish, it stays checking the md5 signature. Afterwards, when I retry I get the following message:

"Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 You last updated the ruleset: 2008-04-02

Your snort rulesets are up to date."

I looked into the snort_download_rules.php file, and the 98th line has:

$text = file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");

Basically, what I'm wondering is if the update was succesful or not  ???

Any hints will be appreciated. Thanks in advance.

mevans336

I am also getting this error all of a sudden today.

Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
You last updated the ruleset: 2008-04-02
Your snort rulesets are up to date.

It also looks like it borks snort. I can't get both process to run now.

$ ps aux | grep snort
root  82228  0.0  0.0  1292  908  ??  Is    1:56PM  0:00.00 snort2c -w /var/

Hrm, I was able to get Snort to run by changing the startup mode to mwm from lowmem. Strange.

xankra

I can say that snort is working. I enabled the nmap xmas filter, and asked a friend to nmap my WAN ip address, and got him in the snort logs:

[ ** ] [ 1:1228:8 ] SCAN nmap XMAS [ ** ] 
[ Classification: Attempted Information Leak ] [ Priority: 2 ] 
04/02-23:40:19.256674 A.B.C.D:60949 -> A.B.C.D:237
TCP TTL:39 TOS:0x0 ID:10828 IpLen:20 DgmLen:40
U*PF Seq: 0x781204E9 Ack: 0x0 Win: 0x1000 TcpLen: 20 UrgPtr: 0x0
[ Xref => http://www.whitehats.com/info/IDS30 ]

I have snort running, not snort2c:

ps aux | grep snort

root  64949  0.0 24.8 66776 30332  ??  Ss  10:00AM  1:58.47 snort -c /usr/local/etc/snort/snort.conf -l /var/log/

And in the status->services page, snort shows as up and running (lowmem mode). Still I wonder if I have updated the signatures or not, but well. It works.

mevans336

Mine is also working now, as I'm getting lots of SQL scans. When I switched to mwm, I was able to get both processes back:

$ ps aux | grep snort
root  11135  0.0  3.4 111568 107884  ??  Ss    3:20PM  0:20.26 snort -c /usr/lo
root  11138  0.0  0.0  1292  940  ??  Is    3:20PM  0:00.01 snort2c -w /var/

Hopefully this is just a temporary issue. Is there any way to tell what ruleset we're using?

akong

I have got the same problem.
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
How to fix it?

librarymark

I've got the same thing :(

I'm running 1.2. It just started this week. At least that is the first time I noticed it.

g00rkha75

Dear all,

I changed the performance to mwm, ran: ps aux | grep snort.  I got only one process of snort running:

ps aux | grep snort

root  22778  0.0  0.1  1292  908  ??  Is    9:06AM  0:00.00 snort2c -w /var/
root  25496  0.0  0.1  1552  656  p0  R+    9:14AM  0:00.00 grep snort

Then I did ssh to the box and ran snort manually like this:

snort -c /usr/local/etc/snort/snort.conf -l /var/log/

I got the following:
…...........
..............
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /usr/local/etc/snort/rules/ddos.rules(25) => Invalid port: [31335,35555]
Fatal Error, Quitting..

After I edited by disabling the problematic ddos.rules(25) using web console then run the following command:

snort -c /usr/local/etc/snort/snort.conf -l /var/log/

Then I ran ps aux | grep snort again:
Now I got both of snort processes running

ps aux | grep snort

root  29629  0.0  0.1  1292  908  ??  Is    9:26AM  0:00.00 snort2c -w /var/
root  29786  0.0 14.5 151584 147892  p0  S    9:27AM  0:04.94 snort -c /usr/lo

I ran nmap using -sS switch but I did not get any alerts.  Moreover, everything I want to update the snort I got this error:
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
You last updated the ruleset: 2008-04-13
Your snort rulesets are up to date.

I have two questions

1. Does the snort in pfsense have to be started manually from the console?  Or perhaps, I missed something.
2. Is the error regarding the update rule normal means we can ignore it?

Thanks, any response will be much appreciated.

g00rkha75

I think I got it solved by restarting the machine, after reboot the snort runs good.
Just wondering if there's another way than reboot to solve this.

Juve

I've got the same same error on the update tab and the ddos rules. Fresh 1.2 install.

sullrich

Looks like they changed the download location?

What is the new location if you visit their website?  They used to tell the location.

Juve

http://www.snort.org/pub-bin/oinkmaster.cgi/[OINKCODE]/filename

The rules still downloads. The thing not working is the page giving updates information.

dalybrian

Snort still not working properly after update.

" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 ".

Any further ideas on how to fix this?

rt_rex

New Version available
Current: 2.7.0.1_4

Guest

wierd..still see this when i reinstall snort

snort-2.7.0.1_1 100%

however i do see the 1_4 version when se what package that are installed

is this correct?
/F

dalybrian

Re-installed SNORT ( currently 2.7.0.1_4 ) & changed the code on line 98 ( to http://www.snort.org/pub-bin/oinkmaster.cgi from http://www.snort.org/pub-bin/download.cgi ) and currently getting:

" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 "

I even got a new Oink Code & still getting the same Error. Is there any information on the SNORT website on this issue?

xdsl

After install snort, im try to update snort. (which cannot enter the rules; need to update first).

but it keep downloading till more than an hour. i already try for 2nd time.

any clue? Thanks in advance

kerim

Same goes to me. after i update snort package, i try to update snort rules, waiting for about 20 minutes+- to finished,then this message came out:

Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 You last updated the ruleset: 2008-04-29

Your snort rulesets are up to date.

rbustos

Ok,,

This is not a snort or pfsense problem. This is a PHP issue, exactly with file_get_contents function, line 98 in /usr/local/www/snort_download_rules.php
  –>  $text = file_get_contents("$URL_SNORT");

I trying with a temporally "solution" using curl instead file_get_contents.

I have this on my script:

from /usr/local/www/snort_download_rules.php:

               sleep(1);
                $URL_SNORT="http://www.snort.org/pub-bin/downloads.cgi";

                $ch = curl_init();
                curl_setopt($ch, CURLOPT_HEADER, 0);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_URL, $URL_SNORT);
                $text = curl_exec($ch);

                //$text = file_get_contents("$URL_SNORT",NULL);
                echo "

mevans336

Any update on this issue?

f.spierings

The issue lies in the fact that file_get_contents() does not send a user agent (or empty string), in this case.
I believe you are able to set the user agent in two ways:

• Specify the user agent in the php.ini (not checked)
• Specify the user agent in the script (checked - working)

An example would be (around line 98 /usr/local/www/snort_download_rules.php):

ini_set('user_agent','snort download script');
$text=file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");

newfirewallman

So can i get a confirmation on what is working of the scripts, or reinstallation? I have 1.2 Release with Snort installed a week ago.

brookenmire

I have tried both fixes (curl and ini_set - seperatley) but finding that it takes forever to download the rules files no matter what I use.
If I download the exact same URL that /usr/local/www/snort_download_rules.php is using at the same time but on a desktop that is on the LAN net behind pfSense, it downloads in a couple of minutes. (no caches involved)

Multiple attempts on the pfSense box return the same results.
Traffic shaper is turned off and pfSense is 1.2 prod.

ls on the temp dir (eg /tmp/snortRulesJ0rIr3/) show it downloading, but very slow ..
-rw-r–r--  1 root  wheel  167363 Jun 14 20:02 snortrules-snapshot-CURRENT.tar.gz
-rw-r--r--  1 root  wheel  6637801 Jun 14 20:26 snortrules-snapshot-CURRENT.tar.gz

Once done, the rules file is a complete file, but Snort downloading seems to hang and does not download the md5 hash.

Is there any other additional hacking needs to be done to the snort_download_rules.php file to allow it to progress ?
Does anybody have the above fixes to consistently work ?

Thanks.