Snort VRT Updates Stop Part Way Through

AliBaba0101

I'm sitting here scratching my head. Now I get this, which is similar to what I see in the pfsense gui.  It starts the download and then just stops part way through for no reason.  I've tried this from multiple browsers and operating systems from the same network.  This is starting to look like a FreeBSD issue?

[2.2.5-DEVELOPMENT][admin@pfSense.localdomain]/tmp/vrt: wget "https://www.snort.org/rules/snortrules-snapshot-2975.tar.gz?oinkcode=xxxxx"
–2015-09-13 23:46:09--  https://www.snort.org/rules/snortrules-snapshot-2975.tar.gz?oinkcode=xxxxx
Resolving www.snort.org (www.snort.org)... 104.20.20.171, 104.20.18.171, 104.20.19.171, ...
Connecting to www.snort.org (www.snort.org)|104.20.20.171|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/002/445/original/snortrules-snapshot-2975.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442209570&Signature=bLs08YpUJhB68%2BI6xX26S1ruTGc%3D [following]
–2015-09-13 23:46:10--  https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/002/445/original/snortrules-snapshot-2975.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442209570&Signature=bLs08YpUJhB68+I6xX26S1ruTGc=
Resolving s3.amazonaws.com (s3.amazonaws.com)... 54.231.14.240
Connecting to s3.amazonaws.com (s3.amazonaws.com)|54.231.14.240|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2015-09-13 23:46:10 ERROR 403: Forbidden.

--2015-09-13 23:46:10--  https://www.snort.org/rules/snortrules-snapshot-2975.tar.gz?oinkcode=xxxxx
Connecting to www.snort.org (www.snort.org)|104.20.20.171|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/002/445/original/snortrules-snapshot-2975.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442209571&Signature=WdJQ2RTN19Jj0S%2FVF9vDFXzRanI%3D [following]
–2015-09-13 23:46:11--  https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/002/445/original/snortrules-snapshot-2975.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442209571&Signature=WdJQ2RTN19Jj0S/VF9vDFXzRanI=
Connecting to s3.amazonaws.com (s3.amazonaws.com)|54.231.14.240|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34081451 (33M) [application/octet-stream]
Saving to: 'snortrules-snapshot-2975.tar.gz?oinkcode=xxxxx'

ar.gz?oinkcode=178e7359c  11%[===>                                ]  3.87M  283KB/s  eta 82s

when I try to download this direct url from s3 using a browser from the same ip pat, it works

https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/002/445/original/snortrules-snapshot-2975.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442209571&Signature=WdJQ2RTN19Jj0S/VF9vDFXzRanI=

when I try wget from pfsense it stops part way through

same thing from a Ubuntu 14.04 on the same network downloads just fine

agilani@ubuntu:~/Desktop$ wget -4 "https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=XXXXXX"
–2015-09-13 22:51:03--  https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=XXXXXX
Resolving www.snort.org (www.snort.org)... 104.20.17.171, 104.20.20.171, 104.20.21.171, ...
Connecting to www.snort.org (www.snort.org)|104.20.17.171|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/002/443/original/snortrules-snapshot-2962.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442213463&Signature=GzfIOg0wkc4ODvW4JEmEIGa%2FbPc%3D [following]
–2015-09-13 22:51:03--  https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/002/443/original/snortrules-snapshot-2962.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442213463&Signature=GzfIOg0wkc4ODvW4JEmEIGa%2FbPc%3D
Resolving s3.amazonaws.com (s3.amazonaws.com)... 54.231.13.224
Connecting to s3.amazonaws.com (s3.amazonaws.com)|54.231.13.224|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33654635 (32M) [application/octet-stream]
Saving to: ‘snortrules-snapshot-2962.tar.gz?oinkcode=XXXXXX’

100%[======================================>] 33,654,635  6.94MB/s  in 7.8s

2015-09-13 22:51:12 (4.11 MB/s) - ‘snortrules-snapshot-2962.tar.gz?oinkcode=XXXXXX’ saved [33654635/33654635]

agilani@ubuntu:~/Desktop$

AliBaba0101

@BBcan177:

Snort/Suricata is now using more secure cURL SSL options to download the Rule Updates. Maybe something is failing with your SSL connection?

You can try to manually lower the cURL settings to see if that is the issue. Then you can try to resolve the underlying issue…

Edit the file:  /usr/local/www/suricata/suricata_check_for_rule_updates.php

Line numbers 200 - 202

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, "TLSv1.2, TLSv1");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);

and change them to the following:

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, "TLSv1.2, TLSv1, SSLv3");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

Then try the rules update and see if that works.. You could also try changing one line at a time and see which setting could be the issue. You definetly do not want to leave it with lower SSL settings for long.

looks like the file is in /usr/local/pkg/suricata instead - but not the droid I'm looking for.  The changes didn't make any difference.

doktornotor

@AliBaba0101: Sounds like you managed to get temporarily banned with your hammering of the servers.

@BBcan177:

Snort/Suricata is now using more secure cURL SSL options to download the Rule Updates. Maybe something is failing with your SSL connection?

Yeah, something was failing the CA certs bundle, or dunno… I reinstalled latest 2.2.5 snapshot and it works. WTF.

AliBaba0101

@doktornotor:

@AliBaba0101: Sounds like you managed to get temporarily banned with your hammering of the servers.

@BBcan177:

Snort/Suricata is now using more secure cURL SSL options to download the Rule Updates. Maybe something is failing with your SSL connection?

Yeah, something was failing the CA certs bundle, or dunno… I reinstalled latest 2.2.5 snapshot and it works. WTF.

packetcapture.zip

bmeeks

Just realized you guys having the issue are using the pfSense 2.2.5 snapshot.  I am still on 2.2.4 for my box, so that's likely why I'm not seeing problems.  As @doktornotor noted, there did appear to be some kind CA problem in one of the 2.2.5 snapshots.  That may be the root of all the Snort/Suricata rule download problems.  One of the recent updates for both Snort and Suricata upgraded the rules download to be more secure by using HTTPS and tightening up on the options supplied to cURL.

Bill

doktornotor

Yeah, I'm pretty much convinced it's not package or Snort website fault at all… Was working for some week or so, though. Then, it pretty much started to behave like if all the root CAs have expired or what. Gitsync couldn't fix it either, needed a new snapshot. Uh.  :o ???

AliBaba0101

@bmeeks:

Just realized you guys having the issue are using the pfSense 2.2.5 snapshot.  I am still on 2.2.4 for my box, so that's likely why I'm not seeing problems.  As @doktornotor noted, there did appear to be some kind CA problem in one of the 2.2.5 snapshots.  That may be the root of all the Snort/Suricata rule download problems.  One of the recent updates for both Snort and Suricata upgraded the rules download to be more secure by using HTTPS and tightening up on the options supplied to cURL.

Bill

I can reproduce the problem pretty reliably on 2.2.4 and 2.2.5 - I only upgraded form 2.2.4 to 2.2.5 to see if it behaved any differently.  I didn't have a lot of time to look at the packet capture I uploaded, but from the initial look - it appears the pfsense  box just stops sending tcp aknowledgements, then sends a whole bunch of duplicate acknowledgements and then doesnt' respond again and just drops the conversation altogether after a tcp rst.

the funny thing is I can't reproduce this on my Ubuntu or windows boxes on the same network.  They all work fine and download it without any problems.

I'm starting to wonder if the snort site is checking for a client agent and checking it for a valid signature….but then everyone else should be having the same problem.

dprince

Anybody have any luck getting this to work lately?  I still can't dload VRT rules.  Tried the SSLv3 fix and a new oinkcode but no luck.  All the other rulesets work.

doktornotor

dprince

Thanks…my issue is either pfblockerng or one of the suricata blocking rules apparently.