Issue with - Install Snort VRT rules option



  • I was setting up another pfSense box and was having trouble installing snort on another checkpoint box. I built a Dell GX-780, installed pfSense then installed snort. The snort instillation went on the Dell with no issue.
    To verify everything was working I checked "Install Snort VRT rules" put in a Regenerated Oinkcode code. (Registered but not subscribed)
    On the Update tab with either "update' or "Force" it goes through the download process, counts up in percentages then says "Installing Sourcefire VRT rules …" and that's it....
    MD5  Signature Hash shows not loaded... 
    Logs show
    Apr 7 15:31:27 php-fpm[33775]: /snort/snort_download_rules.php: [Snort] Snort VRT rules file update downloaded successfully
    Apr 7 15:30:51 php-fpm[33775]: /snort/snort_download_rules.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-

    I went back to the main pfSense box that has the original snort install, updated the Oinkcode, Forced an update and now the MD5 Signature Hash shows not loaded…  there as well.

    Obviously I have created this issue.

    If I change the Oinkcode to be invalid I get

    Apr 7 16:10:05 php-fpm[54649]: /snort/snort_download_rules.php: [Snort] Server returned error code 422…
    Apr 7 16:10:05 php-fpm[54649]: /snort/snort_download_rules.php: [Snort] Snort VRT rules md5 download failed…

    So with a valid code it downloads but doesn't finish and update the MD5 Signature Hash on the Updates tab

    The "Snort GPLv2 Community Rules" and "Emerging Threats Open Rules" both will install and update the MD5 Signature Hash on the Updates tab

    Any Ideas?



  • Sounds like you might need to contact the Snort VRT guys and see what's up with your Oinkcode.  As a test, go to the VRT web site and manually login and try a download with your Oinkcode totally outside of Snort.  There's an example on there site someplace showing how to construct the URL.  You should be able to type the URL into your browser with your Oinkcode and get a download using your browser.  If that works, then post back here and we will troubleshoot some more.  For the moment, though, I'm leaning toward there being a problem with your Oinkcode on the VRT site.

    The URL should be https://www.snorg.org/rules/snortrules-snapshot-2972.md5?oinkcode=oinkid

    where oinkid is replaced by your actual code.

    Bill



  • bmeeks,

    Yes executed
    https://www.snort.org/rules/snortrules-snapshot-2972.tar.gz?oinkcode= my Oinkcode

    and - snortrules-snapshot-2972.tar.gz file was downloaded.

    the pfsense shows the download process and the logs show that it downloads as well.

    Apr 7 19:20:54 php-fpm[12400]: /snort/snort_download_rules.php: [Snort] Emerging Threats Open rules file update downloaded successfully
    Apr 7 19:20:52 php-fpm[12400]: /snort/snort_download_rules.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
    Apr 7 19:20:51 php-fpm[12400]: /snort/snort_download_rules.php: [Snort] Snort GPLv2 Community Rules are up to date…
    Apr 7 19:20:50 php-fpm[12400]: /snort/snort_download_rules.php: [Snort] Snort VRT rules file update downloaded successfully
    Apr 7 19:20:18 php-fpm[12400]: /snort/snort_download_rules.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2972.tar.gz…

    Rule Set Update Logs
    Starting rules update...  Time: 2015-04-07 19:20:18
    Downloading Snort VRT rules md5 file snortrules-snapshot-2972.tar.gz.md5...
    Checking Snort VRT rules md5 file...
    There is a new set of Snort VRT rules posted.
    Downloading file 'snortrules-snapshot-2972.tar.gz'...
    Done downloading rules file.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Checking Snort GPLv2 Community Rules md5 file...
    Snort GPLv2 Community Rules are up to date.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    There is a new set of Emerging Threats Open rules posted.
    Downloading file 'emerging.rules.tar.gz'...
    Done downloading rules file.
    Extracting and installing Snort VRT rules...
    Using Snort VRT precompiled SO rules for FreeBSD-10-0 ...




  • bmeeks,

    Ok problem Solved!
    Apparently the system/browser you are using to install or uninstall packages makes a difference.
    The very very very short story is:
    Windows 8.1 and Mozilla Firefox 37 is bad for pfSense package installs (Windows Firewall enabled or not)  :'(
    Windows XP Mozilla Firefox 37 works fine…  ;D

    Sorry for all the trouble ...



  • I think I recall some posts elsewhere on the Forum here about issues with some versions of Firefox and them not correctly handling SSL certs.  Don't know if that's related to what you found or not.

    Anyway, glad you have it worked out.

    Bill



  • I thought the same as I did find a reference to that while searching the forum. I changed the Web protocol to HTTP but that didn't help… I am not sure what it is.. I have 3 W8.1 machines that do the same thing. If I get some time I'll dig a little deeper.

    Yes I am very glad and thanks again for your help ...


Log in to reply