Netgate SG-1000 microFirewall

Author Topic: SNORT RULES NOT UPDATING  (Read 265 times)

0 Members and 1 Guest are viewing this topic.

Offline NORT

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
SNORT RULES NOT UPDATING
« on: July 26, 2017, 02:54:28 am »
Hello folks,

Can you help me with my snort rules, i am trying to update them but they are always failing even when i force them, they fail.

Any kind of help will be appreciated.


Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 357
  • Karma: +26/-0
    • View Profile
Re: SNORT RULES NOT UPDATING
« Reply #1 on: July 26, 2017, 03:16:36 am »
Just checked mine, it's failing too, it will be an issue the far end.

Starting rules update...  Time: 2017-07-26 09:22:46
   Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
   Checking Snort VRT rules md5 file...
   There is a new set of Snort VRT rules posted.
   Downloading file 'snortrules-snapshot-2990.tar.gz'...
   Done downloading rules file.
   Snort VRT rules file download failed.  Bad MD5 checksum.
   Downloaded Snort VRT rules file MD5: e4bb08430339f589f4e6656ab3756ab9
   Expected Snort VRT rules file MD5: b9df3daf94e9505fb8183c6875be19a5
   Snort VRT rules file download failed.  Snort VRT rules will not be updated.
   Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
   Checking Snort OpenAppID detectors md5 file...
   There is a new set of Snort OpenAppID detectors posted.
   Downloading file 'snort-openappid.tar.gz'...
   Snort OpenAppID detectors file download failed.  Server returned error 429.
   The error text was:
   Snort OpenAppID detectors will not be updated.
   Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
   Checking Snort OpenAppID RULES detectors md5 file...
   There is a new set of Snort OpenAppID RULES detectors posted.
   Downloading file 'appid_rules.tar.gz'...
   Done downloading rules file.
   Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
   Checking Emerging Threats Open rules md5 file...
   There is a new set of Emerging Threats Open rules posted.
   Downloading file 'emerging.rules.tar.gz'...
   Done downloading rules file.
   Extracting and installing Snort OpenAppID detectors...
   Installation of Snort OpenAppID detectors completed.
   Extracting and installing Emerging Threats Open rules...
   Done downloading rules file.
   Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
   Snort OpenAppID detectors md5 download failed.
   Server returned error code 429.
   Server error message was:
   Snort OpenAppID detectors will not be updated.
   Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
   Checking Snort OpenAppID RULES detectors md5 file...
   There is a new set of Snort OpenAppID RULES detectors posted.
   Downloading file 'appid_rules.tar.gz'...
   Installation of Emerging Threats Open rules completed.
   Copying new config and map files...
   Updating rules configuration for: WAN ...
   Done downloading rules file.
   Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
   Checking Emerging Threats Open rules md5 file...
   Emerging Threats Open rules are up to date.
   Extracting and installing Snort VRT rules...
   Using Snort VRT precompiled SO rules for FreeBSD-10-0 ...
   Updating rules configuration for: LAN ...
   Installation of Snort VRT rules completed.
   Extracting and installing Snort OpenAppID detectors...
   Installation of Snort OpenAppID detectors completed.
   Copying new config and map files...
   Updating rules configuration for: WAN ...
   Updating rules configuration for: USER ...
   Updating rules configuration for: LAN ...
   Updating rules configuration for: GUEST ...
   Updating rules configuration for: USER ...
   Updating rules configuration for: IOT ...
   Updating rules configuration for: GUEST ...
   Updating rules configuration for: DMZ ...
   Updating rules configuration for: IOT ...
   Updating rules configuration for: VOICE ...
   Restarting Snort to activate the new set of rules...
   Updating rules configuration for: DMZ ...
   Snort has restarted with your new set of rules.
The Rules update has finished.  Time: 2017-07-26 09:25:54
« Last Edit: July 26, 2017, 03:52:35 am by NogBadTheBad »

Offline etian90

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: SNORT RULES NOT UPDATING
« Reply #2 on: November 09, 2017, 02:07:03 pm »
Hi guys, Iīm having the same problems with my snort, I canīt update my rules. do you know how I can do it manual? thanks

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3103
  • Karma: +800/-0
    • View Profile
Re: SNORT RULES NOT UPDATING
« Reply #3 on: November 09, 2017, 02:18:42 pm »
Hi guys, Iīm having the same problems with my snort, I canīt update my rules. do you know how I can do it manual? thanks

What error message is being printed in the log file viewable on the UPDATES tab in Snort?  There are basically only three things that go wrong here and those are:

1.  You are running pfBlockerNG and one of its IP address lists included the IP address pool of the Amazon Web Services network used by the Snort VRT to host their rule downloads.  That is probably the most common cause of this problem.  If you are using pfBlockerNG, disable it while attempting Snort rules updates.

2.  You have the OpenAppID rules download enabled but you are located in a country which is being blocked by GeoIP rules from accesing the university web site in Brazil that hosts the free OpenAppID rules download package.  If this is the case, you simply can't use those rules unless you can use a VPN so that you can appear to be coming from a different non-Geo Blocked country.

3.  Rarely, the Snort VRT folks have a problem with their automated system that posts the rules package files.  Sometimes the MD5 does not get updated or is missing entirely.  If this is the problem, it will fix itself soon.

Reading the error message you will find in the Rules Update Log will help you figure out which of the above three common problems you are experiencing.  If the message in your logs is something else, then post the entire message back here and we will see how to proceed.

You can't update the rules manually with the Snort package on pfSense.  Too much stuff has to happen in a concerted fashion to make that practical.

Bill