Project

General

Profile

Actions

Bug #2902

closed

Snort does not update snort.org (basic?) rules. Possibly clock blocking by snort.org for basic subscribers.

Added by David Gessel almost 12 years ago. Updated over 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
Start date:
03/23/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.1
Affected Plus Version:
Affected Architecture:
i386

Description

Snort 2.9.4.1 pkg v. 2.5.4 on 2.1-BETA1 (i386) built on Fri Mar 22 22:56:09 EDT 2013

I've tested and found this problem repeatable over several nightly snapshots and on two machines (with different, but both verified valid oinkcodes) on different networks and many load attempts - there seems to be something wrong with the snort.org update process and there's no real indication in the logs what the problem is. It may be that most testing is done by snort subscribers and as a "basic" snort user I'm getting suboptimal behavior:

Updates tab, initiate update

Seems normal:
screencap Downloading Rules Update for Snort

Update proceeds but terminates too quickly

On my slow Iraqi connection, there's no way 21MB of rules downloaded, but there's no indication of a problem:
screencap  Rules Update Finished

No update actually performed

Checking back, no update is performed on snort.org. Emerging threats updates as expected.
screencap No rules updated actually

Log data

(note: reverse chronological order)

Mar 23 17:58:32     php: /snort/snort_download_rules.php: The Rules update has finished...
Mar 23 17:58:32     php: /snort/snort_download_rules.php: Emerging threat rules are up to date...
Mar 23 17:58:31     php: /snort/snort_download_rules.php: Please wait... You may only check for New Rules every 15 minutes...
Mar 23 17:58:31     php: /snort/snort_download_rules.php: Snort MD5 Attempts: 5
Mar 23 17:52:11     check_reload_status: Syncing firewall

Is it possible the update routine hits snort.org once to get the MD5 file then gets locked out of the basic account for 15 minutes effectively clock blocking the download?

Manual test

I followed these fine instructions and manually updated the rules by downloading them from the web interface at snort.org, using the command prompt file upload tool to move them to the temp directory, then executed

tar -zxvf snortrules-snapshot-2923.tar.gz -C /usr/local/etc/snort/rules

and successfully unpacked them. Alas, snort does not detect them.


Files

downloading_snort.PNG (9.21 KB) downloading_snort.PNG screencap Downloading Rules Update for Snort David Gessel, 03/23/2013 10:13 AM
rules_update_finished.png (5.37 KB) rules_update_finished.png screencap Rules Update Finished David Gessel, 03/23/2013 10:13 AM
no_rules_update_actually.PNG (5.51 KB) no_rules_update_actually.PNG screencap No rules updated actually David Gessel, 03/23/2013 10:13 AM
Actions #1

Updated by David Gessel almost 12 years ago

update

The tar file contains the rules directory so the correct untar command from the download directory is

tar -zxvf snortrules-snapshot-2923.tar.gz -C /usr/local/etc/snort/

However, the rules, while thoroughly mixed with the emerging threats rules, do not appear in the interface.

Actions #2

Updated by Daniel Davis over 11 years ago

Same issue here, have tried the manual update but still no result.

Actions #3

Updated by Daniel Davis over 11 years ago

Issue is that the 2941 rules are not yet available to registered users, only subscribers. Modify the $snort_rules_file variable in /usr/local/pkg/snort/snort.inc to the available version (change 2941 to 2940) and it will work again.

Actions #4

Updated by Jim Pingle over 11 years ago

  • Status changed from New to Resolved

This resolved itself once the proper rules were open to all.

Actions

Also available in: Atom PDF