Snort Updating issue (SSL)

Abhishek

You are having an SSL cURL error:
Apr 11 18:14:59	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Maybe you need to make an exception in squid? It's failing on a "self-signed certificate".

i have Block rule as shown in pic which allows direct connection , I am using squid with wpad (Non transparent ) so there shouldnt b self signed cert error


Rule Set Name/Publisher	MD5 Signature Hash	MD5 Signature Date
Snort VRT Rules	b93880acfbcdd064ad894a1bfb9bc500	Wednesday, 20-Apr-16 00:09:30 IST
Snort GPLv2 Community Rules	fb7314e7d71c8cd3fcdf821fec9e01bc	Friday, 15-Apr-16 14:53:43 IST
Emerging Threats Open Rules	8ccb168cfdb2fe0d4a4f805b840e345d	Sunday, 24-Apr-16 00:07:15 IST
Snort OpenAppID Detectors	6575e2e2d2ae00cfd2d6726538f8deaa	Friday, 15-Apr-16 14:53:43 IST

for me issue started after upgrading to 2.3

then due to this issue i even did a fresh install and still i am facing the same issue on fresh install , help


Time	Process	PID	Message
Apr 25 10:00:10	php		[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Apr 25 10:00:00	php		[pfBlockerNG] Starting cron process.
Apr 25 09:45:23	check_reload_status		Syncing firewall
Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] Removed 0 obsoleted rules category files.
Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date...
Apr 25 09:45:22	php-cgi		snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file download failed... server returned error '0'...
Apr 25 09:45:22	php-cgi		snort_check_for_rule_updates.php: File 'community-rules.tar.gz' download attempts: 4 ...
Apr 25 09:45:07	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:45:07	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:44:52	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:44:52	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:44:37	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:44:37	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:44:22	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:44:22	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:44:20	php-cgi		snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
Apr 25 09:44:19	php-cgi		snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date...
Apr 25 09:44:18	php-cgi		snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed... server returned error '0'...
Apr 25 09:44:18	php-cgi		snort_check_for_rule_updates.php: File 'snortrules-snapshot-2980.tar.gz' download attempts: 4 ...
Apr 25 09:44:03	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:44:03	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:43:48	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:43:48	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:43:45	php-cgi		servicewatchdog_cron.php: Could not send the message to info@cbdatasource.com -- Error: 535 Incorrect authentication data
Apr 25 09:43:33	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:43:33	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:43:15	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:43:15	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:43:14	php-cgi		snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2980.tar.gz...
Apr 25 09:43:07	xinetd	22114	Reconfigured: new=0 old=1 dropped=0 (services)

S01.PNG_thumb

S02.png_thumb

bmeeks

Firewall rules have nothing at all to do with your Snort rules update problem. It is complaining about the certificate trust chain. There either is, or your configuration makes cURL think there is, a self-signed certificate in the chain.

Have you tried removing Squid entirely for a test to see if the rules download then? The Snort code uses the built-in system function cURL() to download updates. That function is called with a parameter set to verify SSL peers (in other words, check the certification trust chain). That check is failing on your system because of the some specific configuration you have. My bet is the problem is with Squid.

Bill