Bug #2902
closedSnort does not update snort.org (basic?) rules. Possibly clock blocking by snort.org for basic subscribers.
0%
Description
Snort 2.9.4.1 pkg v. 2.5.4 on 2.1-BETA1 (i386) built on Fri Mar 22 22:56:09 EDT 2013
I've tested and found this problem repeatable over several nightly snapshots and on two machines (with different, but both verified valid oinkcodes) on different networks and many load attempts - there seems to be something wrong with the snort.org update process and there's no real indication in the logs what the problem is. It may be that most testing is done by snort subscribers and as a "basic" snort user I'm getting suboptimal behavior:
Updates tab, initiate update¶
Seems normal:
Update proceeds but terminates too quickly¶
On my slow Iraqi connection, there's no way 21MB of rules downloaded, but there's no indication of a problem:
No update actually performed¶
Checking back, no update is performed on snort.org. Emerging threats updates as expected.
Log data¶
(note: reverse chronological order)
Mar 23 17:58:32 php: /snort/snort_download_rules.php: The Rules update has finished... Mar 23 17:58:32 php: /snort/snort_download_rules.php: Emerging threat rules are up to date... Mar 23 17:58:31 php: /snort/snort_download_rules.php: Please wait... You may only check for New Rules every 15 minutes... Mar 23 17:58:31 php: /snort/snort_download_rules.php: Snort MD5 Attempts: 5 Mar 23 17:52:11 check_reload_status: Syncing firewall
Is it possible the update routine hits snort.org once to get the MD5 file then gets locked out of the basic account for 15 minutes effectively clock blocking the download?
Manual test¶
I followed these fine instructions and manually updated the rules by downloading them from the web interface at snort.org, using the command prompt file upload tool to move them to the temp directory, then executed
tar -zxvf snortrules-snapshot-2923.tar.gz -C /usr/local/etc/snort/rules
and successfully unpacked them. Alas, snort does not detect them.
Files
Updated by David Gessel almost 12 years ago
update
The tar file contains the rules
directory so the correct untar command from the download directory is
tar -zxvf snortrules-snapshot-2923.tar.gz -C /usr/local/etc/snort/
However, the rules, while thoroughly mixed with the emerging threats rules, do not appear in the interface.
Updated by Daniel Davis over 11 years ago
Same issue here, have tried the manual update but still no result.
Updated by Daniel Davis over 11 years ago
Issue is that the 2941 rules are not yet available to registered users, only subscribers. Modify the $snort_rules_file variable in /usr/local/pkg/snort/snort.inc to the available version (change 2941 to 2940) and it will work again.
Updated by Jim Pingle over 11 years ago
- Status changed from New to Resolved
This resolved itself once the proper rules were open to all.