Netgate SG-1000 microFirewall

Author Topic: Snort OpenAppID RULES - Server returned error code 0  (Read 282 times)

0 Members and 1 Guest are viewing this topic.

Offline EWBtCiaST

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Snort OpenAppID RULES - Server returned error code 0
« on: November 25, 2017, 04:57:19 pm »
I've been unable to download the OpenAppID RULES for about 6 weeks due to the following error code - Server returned error code 0. All of the other rules update every day.

I've also deleted the Snort package and re-installed it and restored pfSense to a version where Snort had previously updated all rules.

Any help is much appreciated.

Offline mrzaz

  • Full Member
  • ***
  • Posts: 163
  • Karma: +4/-0
  • Beta Errors Eradicate Roguecode or BEER for short.
    • View Profile
Re: Snort OpenAppID RULES - Server returned error code 0
« Reply #1 on: December 10, 2017, 02:46:09 pm »
I've been unable to download the OpenAppID RULES for about 6 weeks due to the following error code - Server returned error code 0. All of the other rules update every day.

I've also deleted the Snort package and re-installed it and restored pfSense to a version where Snort had previously updated all rules.

Any help is much appreciated.

I also get problem with the APPID RULES download.

According to logs it says:
   Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
   Checking Snort OpenAppID RULES detectors md5 file...
   There is a new set of Snort OpenAppID RULES detectors posted.
   Downloading file 'appid_rules.tar.gz'...
   Done downloading rules file.
   Snort OpenAppID RULES detectors file download failed.  Bad MD5 checksum.
   Downloaded Snort OpenAppID RULES detectors file MD5: 4a919586ee271f633a04b406b1332bf9
   Expected Snort OpenAppID RULES detectors file MD5: d4539caec45fdb0484ded9de593e0dc4
   Snort OpenAppID RULES detectors file download failed.  Snort OpenAppID RULES detectors will not be updated.

And just to make sure, I manually downloaded the http://files.pfsense.org/openappid/appid_rules.tar.gz and http://files.pfsense.org/openappid/appid_rules.tar.gz.md5
and then made a manual md5 checksum of the "appid_rules.tar.gz" and compared it to the downloaded one.

DOWNLOADED:   d4539caec45fdb0484ded9de593e0dc4
MANUAL MD5:      4a919586ee271f633a04b406b1332bf9

Exactly the same as from the pfSense.  So either someone has modified the appid_rules.tar.gz after the checksum was created
OR the appid_rules.tar.gz has been updated and someone has forgot to create a new updated md5 checksum file
or possible that the the appid file has gone corrupted.

Please correct this.

The interesting part is that the appid file and the md5 file is stored at almost the same time. only 2 min apart.
http://files.pfsense.org/openappid/
appid_rules.tar.gz                                 08-Dec-2017 20:46              788480
appid_rules.tar.gz.md5                             08-Dec-2017 20:48                  33

Best regards
Dan Lundqvist
MRZAZ.COM
Stockholm, Sweden

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3290
  • Karma: +861/-0
    • View Profile
Re: Snort OpenAppID RULES - Server returned error code 0
« Reply #2 on: December 12, 2017, 03:22:05 pm »
I've been unable to download the OpenAppID RULES for about 6 weeks due to the following error code - Server returned error code 0. All of the other rules update every day.

I've also deleted the Snort package and re-installed it and restored pfSense to a version where Snort had previously updated all rules.

Any help is much appreciated.

I also get problem with the APPID RULES download.

According to logs it says:
   Downloading Snort OpenAppID RULES detectors md5 file appid_rules.tar.gz.md5...
   Checking Snort OpenAppID RULES detectors md5 file...
   There is a new set of Snort OpenAppID RULES detectors posted.
   Downloading file 'appid_rules.tar.gz'...
   Done downloading rules file.
   Snort OpenAppID RULES detectors file download failed.  Bad MD5 checksum.
   Downloaded Snort OpenAppID RULES detectors file MD5: 4a919586ee271f633a04b406b1332bf9
   Expected Snort OpenAppID RULES detectors file MD5: d4539caec45fdb0484ded9de593e0dc4
   Snort OpenAppID RULES detectors file download failed.  Snort OpenAppID RULES detectors will not be updated.

And just to make sure, I manually downloaded the http://files.pfsense.org/openappid/appid_rules.tar.gz and http://files.pfsense.org/openappid/appid_rules.tar.gz.md5
and then made a manual md5 checksum of the "appid_rules.tar.gz" and compared it to the downloaded one.

DOWNLOADED:   d4539caec45fdb0484ded9de593e0dc4
MANUAL MD5:      4a919586ee271f633a04b406b1332bf9

Exactly the same as from the pfSense.  So either someone has modified the appid_rules.tar.gz after the checksum was created
OR the appid_rules.tar.gz has been updated and someone has forgot to create a new updated md5 checksum file
or possible that the the appid file has gone corrupted.

Please correct this.

The interesting part is that the appid file and the md5 file is stored at almost the same time. only 2 min apart.
http://files.pfsense.org/openappid/
appid_rules.tar.gz                                 08-Dec-2017 20:46              788480
appid_rules.tar.gz.md5                             08-Dec-2017 20:48                  33

Best regards
Dan Lundqvist
MRZAZ.COM
Stockholm, Sweden

As stated in some earlier posts and the pfSense blog, the pfSense team recently began hosting the OpenAppID rules for download migrating them away from the Brazilian University web site.  I think there are still some wrinkles to work out with regards to mirroring the two required files.  I reported this thread to the pfSense team member who coordinated the hosting effort so he can take a look.

Bill

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 728
  • Karma: +154/-135
    • View Profile
    • Netgate
Re: Snort OpenAppID RULES - Server returned error code 0
« Reply #3 on: December 12, 2017, 03:32:55 pm »
Should be good now.
Need help fast? Commercial support: https://www.netgate.com/support/

Offline simby

  • Full Member
  • ***
  • Posts: 214
  • Karma: +0/-0
    • View Profile
Re: Snort OpenAppID RULES - Server returned error code 0
« Reply #4 on: December 14, 2017, 03:26:42 am »
I have this error:

Dec 14 10:25:30   php-fpm   57060   /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 20090 -D -q --suppress-config-log -l /var/log/snort/snort_igb020090 --pid-path /var/run --nolock-pidfile -G 20090 -c /usr/local/etc/snort/snort_20090_igb0/snort.conf -i igb0' returned exit code '1', the output was ''
Dec 14 10:25:30   snort   91420   FATAL ERROR: /usr/local/etc/snort/snort_20090_igb0/rules/snort.rules(3803) Rule options must be enclosed in '(' and ')'.
Dec 14 10:25:29   snort   91420   AppInfo: AppId 4115 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 503 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 503 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 503 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 503 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 4126 is UNKNOWN
Dec 14 10:25:29   snort   91420   Invalid direct client application AppId, 4126, for 0x809fc83e0 0x8045ae180
Dec 14 10:25:29   snort   91420   AppInfo: AppId 4387 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 4385 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 4043 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 4109 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 4387 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 4387 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 4385 is UNKNOWN
Dec 14 10:25:29   snort   91420   AppInfo: AppId 473 is UNKNOWN