Snort signatures update issue?
-
Hi… this is my first post in the forums. I've been using pfSense for over a year and a half by now, and I'm more than pleased with it's performance. Recently I installed snort, and tried to update the attacks signatures, when I came with the following strange issue. The thing is the update never seems to finish, it stays checking the md5 signature. Afterwards, when I retry I get the following message:
"Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 You last updated the ruleset: 2008-04-02
Your snort rulesets are up to date."
I looked into the snort_download_rules.php file, and the 98th line has:
$text = file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");
Basically, what I'm wondering is if the update was succesful or not ???
Any hints will be appreciated. Thanks in advance.
-
I am also getting this error all of a sudden today.
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
You last updated the ruleset: 2008-04-02
Your snort rulesets are up to date.It also looks like it borks snort. I can't get both process to run now.
$ ps aux | grep snort
root 82228 0.0 0.0 1292 908 ?? Is 1:56PM 0:00.00 snort2c -w /var/Hrm, I was able to get Snort to run by changing the startup mode to mwm from lowmem. Strange.
-
I can say that snort is working. I enabled the nmap xmas filter, and asked a friend to nmap my WAN ip address, and got him in the snort logs:
[ ** ] [ 1:1228:8 ] SCAN nmap XMAS [ ** ]
[ Classification: Attempted Information Leak ] [ Priority: 2 ]
04/02-23:40:19.256674 A.B.C.D:60949 -> A.B.C.D:237
TCP TTL:39 TOS:0x0 ID:10828 IpLen:20 DgmLen:40
U*PF Seq: 0x781204E9 Ack: 0x0 Win: 0x1000 TcpLen: 20 UrgPtr: 0x0
[ Xref => http://www.whitehats.com/info/IDS30 ]I have snort running, not snort2c:
ps aux | grep snort
root 64949 0.0 24.8 66776 30332 ?? Ss 10:00AM 1:58.47 snort -c /usr/local/etc/snort/snort.conf -l /var/log/
And in the status->services page, snort shows as up and running (lowmem mode). Still I wonder if I have updated the signatures or not, but well. It works.
-
Mine is also working now, as I'm getting lots of SQL scans. When I switched to mwm, I was able to get both processes back:
$ ps aux | grep snort
root 11135 0.0 3.4 111568 107884 ?? Ss 3:20PM 0:20.26 snort -c /usr/lo
root 11138 0.0 0.0 1292 940 ?? Is 3:20PM 0:00.01 snort2c -w /var/Hopefully this is just a temporary issue. Is there any way to tell what ruleset we're using?
-
I have got the same problem.
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
How to fix it? -
I've got the same thing :(
I'm running 1.2. It just started this week. At least that is the first time I noticed it.
-
Dear all,
I changed the performance to mwm, ran: ps aux | grep snort. I got only one process of snort running:
ps aux | grep snort
root 22778 0.0 0.1 1292 908 ?? Is 9:06AM 0:00.00 snort2c -w /var/
root 25496 0.0 0.1 1552 656 p0 R+ 9:14AM 0:00.00 grep snortThen I did ssh to the box and ran snort manually like this:
snort -c /usr/local/etc/snort/snort.conf -l /var/log/
I got the following:
…...........
..............
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /usr/local/etc/snort/rules/ddos.rules(25) => Invalid port: [31335,35555]
Fatal Error, Quitting..After I edited by disabling the problematic ddos.rules(25) using web console then run the following command:
snort -c /usr/local/etc/snort/snort.conf -l /var/log/
Then I ran ps aux | grep snort again:
Now I got both of snort processes runningps aux | grep snort
root 29629 0.0 0.1 1292 908 ?? Is 9:26AM 0:00.00 snort2c -w /var/
root 29786 0.0 14.5 151584 147892 p0 S 9:27AM 0:04.94 snort -c /usr/loI ran nmap using -sS switch but I did not get any alerts. Moreover, everything I want to update the snort I got this error:
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
You last updated the ruleset: 2008-04-13
Your snort rulesets are up to date.I have two questions
1. Does the snort in pfsense have to be started manually from the console? Or perhaps, I missed something.
2. Is the error regarding the update rule normal means we can ignore it?Thanks, any response will be much appreciated.
-
I think I got it solved by restarting the machine, after reboot the snort runs good.
Just wondering if there's another way than reboot to solve this. -
I've got the same same error on the update tab and the ddos rules. Fresh 1.2 install.
-
Looks like they changed the download location?
What is the new location if you visit their website? They used to tell the location.
-
http://www.snort.org/pub-bin/oinkmaster.cgi/[OINKCODE]/filename
The rules still downloads. The thing not working is the page giving updates information.
-
Snort still not working properly after update.
" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 ".
Any further ideas on how to fix this?
-
New Version available
Current: 2.7.0.1_4 -
wierd..still see this when i reinstall snort
snort-2.7.0.1_1 100%
however i do see the 1_4 version when se what package that are installed
is this correct?
/F -
Re-installed SNORT ( currently 2.7.0.1_4 ) & changed the code on line 98 ( to http://www.snort.org/pub-bin/oinkmaster.cgi from http://www.snort.org/pub-bin/download.cgi ) and currently getting:
" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 "
I even got a new Oink Code & still getting the same Error. Is there any information on the SNORT website on this issue?
-
After install snort, im try to update snort. (which cannot enter the rules; need to update first).
but it keep downloading till more than an hour. i already try for 2nd time.
any clue? Thanks in advance
-
Same goes to me. after i update snort package, i try to update snort rules, waiting for about 20 minutes+- to finished,then this message came out:
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 You last updated the ruleset: 2008-04-29
Your snort rulesets are up to date.
-
Ok,,
This is not a snort or pfsense problem. This is a PHP issue, exactly with file_get_contents function, line 98 in /usr/local/www/snort_download_rules.php
–> $text = file_get_contents("$URL_SNORT");I trying with a temporally "solution" using curl instead file_get_contents.
I have this on my script:
from /usr/local/www/snort_download_rules.php:
sleep(1); $URL_SNORT="http://www.snort.org/pub-bin/downloads.cgi"; $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $URL_SNORT); $text = curl_exec($ch); //$text = file_get_contents("$URL_SNORT",NULL); echo " -
Any update on this issue?
-
The issue lies in the fact that file_get_contents() does not send a user agent (or empty string), in this case.
I believe you are able to set the user agent in two ways:- Specify the user agent in the php.ini (not checked)
- Specify the user agent in the script (checked - working)
An example would be (around line 98 /usr/local/www/snort_download_rules.php):
ini_set('user_agent','snort download script');
$text=file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");