next »

[xankra]

Hi... this is my first post in the forums. I've been using pfSense for over a year and a half by now, and I'm more than pleased with it's performance. Recently I installed snort, and tried to update the attacks signatures, when I came with the following strange issue. The thing is the update never seems to finish, it stays checking the md5 signature. Afterwards, when I retry I get the following message:

"Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 You last updated the ruleset:   2008-04-02

Your snort rulesets are up to date."

I looked into the snort_download_rules.php file, and the 98th line has:

$text = file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");

Basically, what I'm wondering is if the update was succesful or not 

Any hints will be appreciated. Thanks in advance.

[mevans336]

I am also getting this error all of a sudden today.

Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
You last updated the ruleset:   2008-04-02
Your snort rulesets are up to date.

It also looks like it borks snort. I can't get both process to run now.

$ ps aux | grep snort
root   82228  0.0  0.0  1292   908  ??  Is    1:56PM   0:00.00 snort2c -w /var/

Hrm, I was able to get Snort to run by changing the startup mode to mwm from lowmem. Strange.

[xankra]

I can say that snort is working. I enabled the nmap xmas filter, and asked a friend to nmap my WAN ip address, and got him in the snort logs:

[ ** ] [ 1:1228:8 ] SCAN nmap XMAS [ ** ] 
[ Classification: Attempted Information Leak ] [ Priority: 2 ] 
04/02-23:40:19.256674 A.B.C.D:60949 -> A.B.C.D:237
TCP TTL:39 TOS:0x0 ID:10828 IpLen:20 DgmLen:40
**U*P**F Seq: 0x781204E9 Ack: 0x0 Win: 0x1000 TcpLen: 20 UrgPtr: 0x0
[ Xref => http://www.whitehats.com/info/IDS30 ] 

I have snort running, not snort2c:

# ps aux | grep snort
root   64949  0.0 24.8 66776 30332  ??  Ss   10:00AM   1:58.47 snort -c /usr/local/etc/snort/snort.conf -l /var/log/

And in the status->services page, snort shows as up and running (lowmem mode). Still I wonder if I have updated the signatures or not, but well. It works.

[mevans336]

Mine is also working now, as I'm getting lots of SQL scans. When I switched to mwm, I was able to get both processes back:

$ ps aux | grep snort
root   11135  0.0  3.4 111568 107884  ??  Ss    3:20PM   0:20.26 snort -c /usr/lo
root   11138  0.0  0.0  1292   940  ??  Is    3:20PM   0:00.01 snort2c -w /var/

Hopefully this is just a temporary issue. Is there any way to tell what ruleset we're using?

[akong]

I have got the same problem.
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
How to fix it?

[librarymark]

I've got the same thing

I'm running 1.2. It just started this week. At least that is the first time I noticed it.

[g00rkha75]

Dear all,

I changed the performance to mwm, ran: ps aux | grep snort.  I got only one process of snort running:
# ps aux | grep snort
root   22778  0.0  0.1  1292   908  ??  Is    9:06AM   0:00.00 snort2c -w /var/
root   25496  0.0  0.1  1552   656  p0  R+    9:14AM   0:00.00 grep snort

Then I did ssh to the box and ran snort manually like this:
# snort -c /usr/local/etc/snort/snort.conf -l /var/log/

I got the following:
..............
..............
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /usr/local/etc/snort/rules/ddos.rules(25) => Invalid port: [31335,35555]
Fatal Error, Quitting..

After I edited by disabling the problematic ddos.rules(25) using web console then run the following command:
# snort -c /usr/local/etc/snort/snort.conf -l /var/log/

Then I ran ps aux | grep snort again:
Now I got both of snort processes running
# ps aux | grep snort
root   29629  0.0  0.1  1292   908  ??  Is    9:26AM   0:00.00 snort2c -w /var/
root   29786  0.0 14.5 151584 147892  p0  S     9:27AM   0:04.94 snort -c /usr/lo

I ran nmap using -sS switch but I did not get any alerts.  Moreover, everything I want to update the snort I got this error:
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
You last updated the ruleset:   2008-04-13
Your snort rulesets are up to date.

I have two questions

1. Does the snort in pfsense have to be started manually from the console?  Or perhaps, I missed something.
2. Is the error regarding the update rule normal means we can ignore it?

Thanks, any response will be much appreciated.

[g00rkha75]

I think I got it solved by restarting the machine, after reboot the snort runs good.
Just wondering if there's another way than reboot to solve this. 

[Juve]

I've got the same same error on the update tab and the ddos rules. Fresh 1.2 install.

[sullrich]

Looks like they changed the download location?

What is the new location if you visit their website?  They used to tell the location.

[Juve]

http://www.snort.org/pub-bin/oinkmaster.cgi/[OINKCODE]/filename

The rules still downloads. The thing not working is the page giving updates information.

[dalybrian]

Snort still not working properly after update.

" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 ".

Any further ideas on how to fix this?

[rt_rex]

New Version available
Current: 2.7.0.1_4

[fredde]

wierd..still see this when i reinstall snort

snort-2.7.0.1_1 100%

however i do see the 1_4 version when se what package that are installed

is this correct?
/F

[dalybrian]

Re-installed SNORT ( currently 2.7.0.1_4 ) & changed the code on line 98 ( to http://www.snort.org/pub-bin/oinkmaster.cgi from http://www.snort.org/pub-bin/download.cgi ) and currently getting:

" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 "

I even got a new Oink Code & still getting the same Error. Is there any information on the SNORT website on this issue?