Netgate m1n1wall

Author Topic: snort signatures update issue?  (Read 7697 times)

0 Members and 1 Guest are viewing this topic.

Offline xankra

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
snort signatures update issue?
« on: April 02, 2008, 12:36:11 am »
Hi... this is my first post in the forums. I've been using pfSense for over a year and a half by now, and I'm more than pleased with it's performance. Recently I installed snort, and tried to update the attacks signatures, when I came with the following strange issue. The thing is the update never seems to finish, it stays checking the md5 signature. Afterwards, when I retry I get the following message:

"Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 You last updated the ruleset:   2008-04-02

Your snort rulesets are up to date."

I looked into the snort_download_rules.php file, and the 98th line has:

$text = file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");

Basically, what I'm wondering is if the update was succesful or not  ???

Any hints will be appreciated. Thanks in advance.

Offline mevans336

  • Full Member
  • ***
  • Posts: 140
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #1 on: April 02, 2008, 12:42:54 pm »
I am also getting this error all of a sudden today.

Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
You last updated the ruleset:   2008-04-02
Your snort rulesets are up to date.

It also looks like it borks snort. I can't get both process to run now.

$ ps aux | grep snort
root   82228  0.0  0.0  1292   908  ??  Is    1:56PM   0:00.00 snort2c -w /var/

Hrm, I was able to get Snort to run by changing the startup mode to mwm from lowmem. Strange.
« Last Edit: April 02, 2008, 01:17:32 pm by mevans336 »

Offline xankra

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #2 on: April 02, 2008, 03:46:39 pm »
I can say that snort is working. I enabled the nmap xmas filter, and asked a friend to nmap my WAN ip address, and got him in the snort logs:

[ ** ] [ 1:1228:8 ] SCAN nmap XMAS [ ** ] 
[ Classification: Attempted Information Leak ] [ Priority: 2 ] 
04/02-23:40:19.256674 A.B.C.D:60949 -> A.B.C.D:237
TCP TTL:39 TOS:0x0 ID:10828 IpLen:20 DgmLen:40
**U*P**F Seq: 0x781204E9 Ack: 0x0 Win: 0x1000 TcpLen: 20 UrgPtr: 0x0
[ Xref => http://www.whitehats.com/info/IDS30

I have snort running, not snort2c:

# ps aux | grep snort
root   64949  0.0 24.8 66776 30332  ??  Ss   10:00AM   1:58.47 snort -c /usr/local/etc/snort/snort.conf -l /var/log/

And in the status->services page, snort shows as up and running (lowmem mode). Still I wonder if I have updated the signatures or not, but well. It works.

Offline mevans336

  • Full Member
  • ***
  • Posts: 140
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #3 on: April 02, 2008, 04:23:37 pm »
Mine is also working now, as I'm getting lots of SQL scans. When I switched to mwm, I was able to get both processes back:

$ ps aux | grep snort
root   11135  0.0  3.4 111568 107884  ??  Ss    3:20PM   0:20.26 snort -c /usr/lo
root   11138  0.0  0.0  1292   940  ??  Is    3:20PM   0:00.01 snort2c -w /var/

Hopefully this is just a temporary issue. Is there any way to tell what ruleset we're using?

Offline akong

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #4 on: April 03, 2008, 04:46:24 am »
I have got the same problem.
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
How to fix it?

Offline librarymark

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #5 on: April 03, 2008, 10:53:46 am »
I've got the same thing :(

I'm running 1.2. It just started this week. At least that is the first time I noticed it.

Offline g00rkha75

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #6 on: April 13, 2008, 05:09:37 am »
Dear all,

I changed the performance to mwm, ran: ps aux | grep snort.  I got only one process of snort running:
# ps aux | grep snort
root   22778  0.0  0.1  1292   908  ??  Is    9:06AM   0:00.00 snort2c -w /var/
root   25496  0.0  0.1  1552   656  p0  R+    9:14AM   0:00.00 grep snort

Then I did ssh to the box and ran snort manually like this:
# snort -c /usr/local/etc/snort/snort.conf -l /var/log/

I got the following:
..............
..............
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /usr/local/etc/snort/rules/ddos.rules(25) => Invalid port: [31335,35555]
Fatal Error, Quitting..

After I edited by disabling the problematic ddos.rules(25) using web console then run the following command:
# snort -c /usr/local/etc/snort/snort.conf -l /var/log/

Then I ran ps aux | grep snort again:
Now I got both of snort processes running
# ps aux | grep snort
root   29629  0.0  0.1  1292   908  ??  Is    9:26AM   0:00.00 snort2c -w /var/
root   29786  0.0 14.5 151584 147892  p0  S     9:27AM   0:04.94 snort -c /usr/lo

I ran nmap using -sS switch but I did not get any alerts.  Moreover, everything I want to update the snort I got this error:
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
You last updated the ruleset:   2008-04-13
Your snort rulesets are up to date.

I have two questions

1. Does the snort in pfsense have to be started manually from the console?  Or perhaps, I missed something.
2. Is the error regarding the update rule normal means we can ignore it?

Thanks, any response will be much appreciated.

Offline g00rkha75

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #7 on: April 13, 2008, 11:07:42 am »
I think I got it solved by restarting the machine, after reboot the snort runs good.
Just wondering if there's another way than reboot to solve this. 

Offline Juve

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 914
  • Karma: +0/-0
  • --=(BSD)=--
    • View Profile
Re: snort signatures update issue?
« Reply #8 on: April 14, 2008, 02:31:30 am »
I've got the same same error on the update tab and the ddos rules. Fresh 1.2 install.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: snort signatures update issue?
« Reply #9 on: April 14, 2008, 01:48:47 pm »
Looks like they changed the download location?

What is the new location if you visit their website?  They used to tell the location.

Offline Juve

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 914
  • Karma: +0/-0
  • --=(BSD)=--
    • View Profile
Re: snort signatures update issue?
« Reply #10 on: April 14, 2008, 03:20:33 pm »
http://www.snort.org/pub-bin/oinkmaster.cgi/[OINKCODE]/filename

The rules still downloads. The thing not working is the page giving updates information.
« Last Edit: April 14, 2008, 03:53:17 pm by Juve »

Offline dalybrian

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #11 on: April 15, 2008, 07:17:15 pm »
Snort still not working properly after update.

" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 ".

Any further ideas on how to fix this?

Offline rt_rex

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #12 on: April 16, 2008, 07:06:37 am »
New Version available
Current: 2.7.0.1_4
Donīt Try this @home go outside!
WIFI Link @ 76 km

fredde

  • Guest
Re: snort signatures update issue?
« Reply #13 on: April 16, 2008, 11:54:08 am »
wierd..still see this when i reinstall snort

snort-2.7.0.1_1 100%

however i do see the 1_4 version when se what package that are installed

is this correct?
/F

Offline dalybrian

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: snort signatures update issue?
« Reply #14 on: April 19, 2008, 10:21:15 am »
Re-installed SNORT ( currently 2.7.0.1_4 ) & changed the code on line 98 ( to http://www.snort.org/pub-bin/oinkmaster.cgi from http://www.snort.org/pub-bin/download.cgi ) and currently getting:

" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 "

I even got a new Oink Code & still getting the same Error. Is there any information on the SNORT website on this issue?