Bug #2902
closedSnort does not update snort.org (basic?) rules. Possibly clock blocking by snort.org for basic subscribers.
0%
Description
Snort 2.9.4.1 pkg v. 2.5.4 on 2.1-BETA1 (i386) built on Fri Mar 22 22:56:09 EDT 2013
I've tested and found this problem repeatable over several nightly snapshots and on two machines (with different, but both verified valid oinkcodes) on different networks and many load attempts - there seems to be something wrong with the snort.org update process and there's no real indication in the logs what the problem is. It may be that most testing is done by snort subscribers and as a "basic" snort user I'm getting suboptimal behavior:
Updates tab, initiate update¶
Seems normal:
Update proceeds but terminates too quickly¶
On my slow Iraqi connection, there's no way 21MB of rules downloaded, but there's no indication of a problem:
No update actually performed¶
Checking back, no update is performed on snort.org. Emerging threats updates as expected.
Log data¶
(note: reverse chronological order)
Mar 23 17:58:32 php: /snort/snort_download_rules.php: The Rules update has finished... Mar 23 17:58:32 php: /snort/snort_download_rules.php: Emerging threat rules are up to date... Mar 23 17:58:31 php: /snort/snort_download_rules.php: Please wait... You may only check for New Rules every 15 minutes... Mar 23 17:58:31 php: /snort/snort_download_rules.php: Snort MD5 Attempts: 5 Mar 23 17:52:11 check_reload_status: Syncing firewall
Is it possible the update routine hits snort.org once to get the MD5 file then gets locked out of the basic account for 15 minutes effectively clock blocking the download?
Manual test¶
I followed these fine instructions and manually updated the rules by downloading them from the web interface at snort.org, using the command prompt file upload tool to move them to the temp directory, then executed
tar -zxvf snortrules-snapshot-2923.tar.gz -C /usr/local/etc/snort/rules
and successfully unpacked them. Alas, snort does not detect them.
Files