Snort Update error 403



  • Good Morning,

    from a few days my snort is getting this log when try update:

    Starting rules update…  Time: 2015-05-21 09:44:33
    Downloading Snort VRT rules md5 file snortrules-snapshot-2972.tar.gz.md5...
    Snort VRT rules md5 download failed.
    Server returned error code 403.
    Server error message was: 403 Forbidden
    Snort VRT rules will not be updated.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    Snort OpenAppID detectors md5 download failed.
    Server returned error code 403.
    Server error message was: 403 Forbidden
    Snort OpenAppID detectors will not be updated.
    Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    Snort GPLv2 Community Rules md5 download failed.
    Server returned error code 403.
    Server error message was: 403 Forbidden
    Snort GPLv2 Community Rules will not be updated.

    Can someone help?

    Thanks



  • Two possibilities exist:  (1) your Oinkcode was rejected as invalid by the Snort VRT server, or (2) the Snort VRT rules site was temporarily offline.

    If the error is repeatable at different times of the day using the manual update method (on the UPDATES tab), then contact the Snort VRT folks to validate your Oinkcode is valid.

    Bill



  • Hi bmeeks,

    thanks for reply.

    When download rules from browser in https://www.snort.org/rules/snortrules-snapshot-2972.tar.gz?oinkcode="mycod" this work well, so I think the problem is not my Oinkcode, right?

    Thanks



  • Is there any kind of caching proxy or other box between pfSense and the web?  The error you are getting is a direct HTTP result code which means the web site rejected your connection due to permissions.  Most of the time that is an Oinkcode problem.  It might be the firewall and the workstation you are using your browser from are hitting different servers (just a guess that the VRT site might have more than one server).

    Do you have the free registered subscription or a paid subscription?

    Bill



  • Hi,

    The only proxy is the squid installled in same machine where is snort.

    in my browser the original address is replaced by download address https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/001/813/original/snortrules-snapshot-2972.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1432255104&Signature=vMYjdXqpIE60b9ZHtJkH7t%2FTO%2Bw%3D.

    I have a free registered subcription.

    Filipe



  • Can you temporarily allow the firewall to bypass the proxy for VRT downloads?  I think this problem is perhaps unique to some configuration on your end, or else I would expect to be seeing a number of similar posts here on the forum.

    Bill



  • Hi,

    thanks for the help. Snort is now working again. I'm not  100% sure but I think the problem had something to do with pfBlockerNG package. When I updated the pfBlockerNG from 1.8 to 1.9 became possible to download the rules again.

    Thanks

    Filipe


  • Moderator

    @fscms:

    When I updated the pfBlockerNG from 1.8 to 1.9 became possible to download the rules again.

    Its not the pfBNG package that blocks, its the IPs used in the Lists that block traffic. Take a look at the Alerts Tab, and it will show you what IPs are being blocked. You can then deal with the IPs that shouldn't be blocked.



  • Hey, Did you tried to access the same page from some other pc or laptop? If the problem persists then it may be beacuse the webiste owner has restricted you from access that page. Well there's a simple soln. to it..Install  gom vpn extension from HackBS.it will let you bypass this restriction in seconds.



  • Check the Package Manager and upgrade Snort, the issue will be gone