Snort mailing list archives
Re: Subscriber signatures fail to update
From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 21 Oct 2020 14:53:28 +0000
Hello VJM, Thanks for the followup. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com | https://www.snort.org
On Oct 20, 2020, at 10:59 AM, VJM via Snort-sigs <snort-sigs () lists snort org> wrote: Hello Joel, Thanks for confirming the successful hits on the server, I think have solved the issue. What I had to do was do a forced update which zeroed out the MD5 hashes and redownloaded the entire set. All seems well now. Here’s the latest log after a forced update at 20:14 local time / 14:44 GMT Thanks for your help! Regards, Viv ----Begin Log------- Starting rules update... Time: 2020-10-20 20:14:03 Downloading Snort Subscriber rules md5 file snortrules-snapshot-29161.tar.gz.md5... Checking Snort Subscriber rules md5 file... There is a new set of Snort Subscriber rules posted. Downloading file 'snortrules-snapshot-29161.tar.gz'... Done downloading rules file. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Done downloading rules file. Downloading Snort AppID Open Text Rules md5 file appid_rules.tar.gz.md5... Checking Snort AppID Open Text Rules md5 file... There is a new set of Snort AppID Open Text Rules posted. Downloading file 'appid_rules.tar.gz'... Done downloading rules file. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading rules file. Extracting and installing Snort Subscriber Ruleset... Using Snort Subscriber precompiled SO rules for FreeBSD-11 ... Installation of Snort Subscriber rules completed. Extracting and installing Snort OpenAppID detectors... Installation of Snort OpenAppID detectors completed. Extracting and installing Snort AppID Open Text Rules... Installation of Snort AppID Open Text Rules completed. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: WAN2 ... Updating rules configuration for: LAN ... Updating rules configuration for: WAN3TSBB ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished. Time: 2020-10-20 20:17:51 ----End Log-------- From: Snort-sigs <snort-sigs-bounces () lists snort org> On Behalf Of Joel Esler (jesler) via Snort-sigs Sent: 20 October 2020 19:40 To: VJM <vivekjm () gmail com> Cc: snort-sigs () lists snort org Subject: Re: [Snort-sigs] Subscriber signatures fail to update Good morning. I’m looking at the server logs for that IP and I see a successful check for them md5 of the openappid file and I see a successful download of the 29161 rules file. Then I used your oinkcode and looked for traffic, and I see nothing but successful (200 code) hits to all the files involved from your various IPs. From our perspective, you’re fine. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com <http://www.talosintelligence.com/> | https://www.snort.org <https://www.snort.org/>On Oct 19, 2020, at 10:14 AM, VJM via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists snort org>> wrote: My pfSense Netgate router gets a CG-NAT IP once authentication is complete via PPP. I can request the ISP for a v6 address which would likely be a public one. Anyway, I tried a manual update and it failed again. My IP address is 103.208.71.114. Can you please check the server log? Here’s the log extract at 19:27 IST / 13:57 GMT, Starting rules update... Time: 2020-10-19 19:27:23 Downloading Snort Subscriber rules md5 file snortrules-snapshot-29161.tar.gz.md5... Snort Subscriber rules md5 download failed. Server returned error code 0. Server error message was: Snort Subscriber rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Snort OpenAppID detectors md5 download failed. Server returned error code 0. Server error message was: Snort OpenAppID detectors will not be updated. Downloading Snort AppID Open Text Rules md5 file appid_rules.tar.gz.md5... Snort AppID Open Text Rules md5 download failed. Server returned error code 0. Server error message was: Snort AppID Open Text Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Emerging Threats Open rules md5 download failed. Server returned error code 0. Server error message was: Emerging Threats Open rules will not be updated. The Rules update has finished. Time: 2020-10-19 19:31:24 Best regards, Viv From: Snort-sigs <snort-sigs-bounces () lists snort org <mailto:snort-sigs-bounces () lists snort org>> On Behalf Of Joel Esler (jesler) via Snort-sigs Sent: 19 October 2020 18:06 To: VJM <vivekjm () gmail com <mailto:vivekjm () gmail com>> Cc: snort-sigs () lists snort org <mailto:snort-sigs () lists snort org> Subject: Re: [Snort-sigs] Subscriber signatures fail to update I don’t see any attempts from that IP to hit Snort.org <http://snort.org/> in the past 72 hours. So it looks like you are being blocked well before hitting our web server. Do you a proxy in the way?On Oct 19, 2020, at 3:19 AM, VJM via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists snort org>> wrote: Thanks for your reply. My pfSense router gets a dynamic IPv4 address from the ISP. The current IP address is 103.208.71.114. A recent update failed today at 12:10 pm or 6:40 am GMT (my local time zone is GMT +5:30). This is the current log entry from the update attempt: Starting rules update... Time: 2020-10-19 12:10:31 Downloading Snort Subscriber rules md5 file snortrules-snapshot-29161.tar.gz.md5... Snort Subscriber rules md5 download failed. Server returned error code 0. Server error message was: Snort Subscriber rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Snort OpenAppID detectors md5 download failed. Server returned error code 0. Server error message was: Snort OpenAppID detectors will not be updated. Downloading Snort AppID Open Text Rules md5 file appid_rules.tar.gz.md5... Snort AppID Open Text Rules md5 download failed. Server returned error code 0. Server error message was: Snort AppID Open Text Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Emerging Threats Open rules md5 download failed. Server returned error code 0. Server error message was: Emerging Threats Open rules will not be updated. The Rules update has finished. Time: 2020-10-19 12:14:32 Best regards, Viv From: Snort-sigs <snort-sigs-bounces () lists snort org <mailto:snort-sigs-bounces () lists snort org>> On Behalf Of Joel Esler (jesler) via Snort-sigs Sent: 19 October 2020 02:22 To: VJM <vivekjm () gmail com <mailto:vivekjm () gmail com>> Cc: snort-sigs () lists snort org <mailto:snort-sigs () lists snort org> Subject: Re: [Snort-sigs] Subscriber signatures fail to update Cans you give me the IP I should see at the server? Sent from my iPhoneOn Oct 17, 2020, at 09:29, VJM via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists snort org>> wrote: Hello, I use Snort on pfSense 2.4.5 and noticed the Snort subscriber updates fail to install. Snort has been set to update every 12 hours at 10 minutes past the hour. Is there a geo-block on the update server? My ISP is Tata-Sky based out of Mumbai, India. The log entries show “Server returned error code 0”: Starting rules update... Time: 2020-10-16 12:10:04 Downloading Snort Subscriber rules md5 file snortrules-snapshot-29161.tar.gz.md5... Snort Subscriber rules md5 download failed. Server returned error code 0. Server error message was: Snort Subscriber rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Snort OpenAppID detectors md5 download failed. Server returned error code 0. Server error message was: Snort OpenAppID detectors will not be updated. Downloading Snort AppID Open Text Rules md5 file appid_rules.tar.gz.md5... Snort AppID Open Text Rules md5 download failed. Server returned error code 0. Server error message was: Snort AppID Open Text Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Emerging Threats Open rules md5 download failed. Server returned error code 0. Server error message was: Emerging Threats Open rules will not be updated. The Rules update has finished. Time: 2020-10-16 12:14:05 Any help will be appreciated. Best regards, Viv _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging <https://snort.org/downloads/#rule-downloads";>emerging> threats</a>!_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Subscriber signatures fail to update VJM via Snort-sigs (Oct 17)
- Re: Subscriber signatures fail to update wkitty42--- via Snort-sigs (Oct 17)
- Re: Subscriber signatures fail to update Joel Esler (jesler) via Snort-sigs (Oct 18)
- Re: Subscriber signatures fail to update VJM via Snort-sigs (Oct 19)
- Re: Subscriber signatures fail to update Joel Esler (jesler) via Snort-sigs (Oct 19)
- Re: Subscriber signatures fail to update VJM via Snort-sigs (Oct 20)
- Re: Subscriber signatures fail to update Joel Esler (jesler) via Snort-sigs (Oct 20)
- Re: Subscriber signatures fail to update VJM via Snort-sigs (Oct 21)
- Re: Subscriber signatures fail to update Joel Esler (jesler) via Snort-sigs (Oct 21)
- Re: Subscriber signatures fail to update VJM via Snort-sigs (Oct 19)
- Re: Subscriber signatures fail to update bs0838982 via Snort-sigs (Oct 20)
- <Possible follow-ups>
- Re: Subscriber signatures fail to update VJM via Snort-sigs (Oct 18)