Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Updating issue (SSL)

    Scheduled Pinned Locked Moved IDS/IPS
    22 Posts 5 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Abhishek
      last edited by

      @BBcan177:

      You are having an SSL cURL error:

      
      Apr 11 18:14:59	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
      
      

      Maybe you need to make an exception in squid? It's failing on a "self-signed certificate".

      i have Block rule as shown in pic which allows direct connection , I am using squid with wpad (Non transparent ) so there shouldnt b self signed cert error

      
      Rule Set Name/Publisher	MD5 Signature Hash	MD5 Signature Date
      Snort VRT Rules	b93880acfbcdd064ad894a1bfb9bc500	Wednesday, 20-Apr-16 00:09:30 IST
      Snort GPLv2 Community Rules	fb7314e7d71c8cd3fcdf821fec9e01bc	Friday, 15-Apr-16 14:53:43 IST
      Emerging Threats Open Rules	8ccb168cfdb2fe0d4a4f805b840e345d	Sunday, 24-Apr-16 00:07:15 IST
      Snort OpenAppID Detectors	6575e2e2d2ae00cfd2d6726538f8deaa	Friday, 15-Apr-16 14:53:43 IST
      

      for me issue started after upgrading to 2.3

      then due to this issue i even did a fresh install and still i am facing the same issue on fresh install  , help

      
      Time	Process	PID	Message
      Apr 25 10:00:10	php		[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
      Apr 25 10:00:00	php		[pfBlockerNG] Starting cron process.
      Apr 25 09:45:23	check_reload_status		Syncing firewall
      Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
      Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] Removed 0 obsoleted rules category files.
      Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
      Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date...
      Apr 25 09:45:22	php-cgi		snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file download failed... server returned error '0'...
      Apr 25 09:45:22	php-cgi		snort_check_for_rule_updates.php: File 'community-rules.tar.gz' download attempts: 4 ...
      Apr 25 09:45:07	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
      Apr 25 09:45:07	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
      Apr 25 09:44:52	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
      Apr 25 09:44:52	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
      Apr 25 09:44:37	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
      Apr 25 09:44:37	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
      Apr 25 09:44:22	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
      Apr 25 09:44:22	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
      Apr 25 09:44:20	php-cgi		snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
      Apr 25 09:44:19	php-cgi		snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date...
      Apr 25 09:44:18	php-cgi		snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed... server returned error '0'...
      Apr 25 09:44:18	php-cgi		snort_check_for_rule_updates.php: File 'snortrules-snapshot-2980.tar.gz' download attempts: 4 ...
      Apr 25 09:44:03	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
      Apr 25 09:44:03	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
      Apr 25 09:43:48	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
      Apr 25 09:43:48	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
      Apr 25 09:43:45	php-cgi		servicewatchdog_cron.php: Could not send the message to info@cbdatasource.com -- Error: 535 Incorrect authentication data
      Apr 25 09:43:33	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
      Apr 25 09:43:33	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
      Apr 25 09:43:15	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
      Apr 25 09:43:15	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
      Apr 25 09:43:14	php-cgi		snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2980.tar.gz...
      Apr 25 09:43:07	xinetd	22114	Reconfigured: new=0 old=1 dropped=0 (services)
      

      S01.PNG
      S01.PNG_thumb
      S02.png
      S02.png_thumb

      2.3-RC (amd64)
      built on Mon Apr 04 17:09:32 CDT 2016
      FreeBSD 10.3-RELEASE
      Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz

      darkstat 3.1.2_1
      Lightsquid 3.0.3_1
      mailreport 3.0_1
      pfBlockerNG 2.0.9_1  
      RRD_Summary 1.3.1_2
      snort 3.2.9.1_9  
      squid 0.4.16_1  
      squidGuard 1.14_1
      syslog-ng 1.1.2_2

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Firewall rules have nothing at all to do with your Snort rules update problem.  It is complaining about the certificate trust chain.  There either is, or your configuration makes cURL think there is, a self-signed certificate in the chain.

        Have you tried removing Squid entirely for a test to see if the rules download then?  The Snort code uses the built-in system function cURL() to download updates.  That function is called with a parameter set to verify SSL peers (in other words, check the certification trust chain).  That check is failing on your system because of the some specific configuration you have.  My bet is the problem is with Squid.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.