Hi guys,
first I really appreciate your help. Thanks for your time in trying to solve my problem.
I will make it short.
As you can see in the Screenshot I have trouble to install the Snort rules. These rules are enabled but somehow not installed. I really don't know what's wrong.
What I've done so far:
- installed plugin "os-intrusion-detection-content-snort-vrt"
- got Oink code from Snort
- set Oink code in Opnsense
- checked all HW-Offloading settings in "Interfaces: Settings"
- Disable hardware checksum offload
- Disable hardware TCP segmentation offload
- Disable hardware large receive offload
Please help me to enable the snort rules. I ahve no trouble with the other availible rulesets:
- ET Pro Telemetry Edition (os-etpro-telemetry)
- IDS PT Research ruleset (only for non-commercial use) (os-intrusion-detection-content-pt-open)
https://ibb.co/SrQp0jv
Same issue with the latest version, See attachements
Maybe the python upgrade caused the scripts to fail?
See Log:
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 kernel: hn1: a looped back NS message is detected during DAD for fe80:6::215:5dff:fe00:8431. Another DAD probes are being sent.
Jan 10 14:36:54 kernel: hn0: a looped back NS message is detected during DAD for fe80:5::215:5dff:fe00:8430. Another DAD probes are being sent.
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:53 /rule-updater.py: download completed for https://urlhaus.abuse.ch/downloads/ids/
Jan 10 14:36:52 /rule-updater.py: download completed for https://feodotracker.abuse.ch/downloads/feodotracker.rules
Jan 10 14:36:52 /rule-updater.py: download completed for https://sslbl.abuse.ch/blacklist/sslipblacklist.rules
Jan 10 14:36:52 /rule-updater.py: download completed for https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules
I've updated to the lates version 19.7.9 (installed) and now it works as expected!
Thank you for the great forum and all the help. First post here. I'm having a very similar issue as the op on this thread with the SNORT rules not downloading, only on Opnsense 20.1.3-amd64.
Configs:
snort_vrt.oinkcode = valid oinkcode from snort.org
snort_vrt.rulesfile = snortrules-snapshot-2990.tar.gz
Theory?
On snort.org, I see in the download section these which seem close:
snortrules-snapshot-2983.tar.gz
snortrules-snapshot-3000.tar.gz
I don't see snortrules-snapshot-2990.tar.gz.
Could it be that this 2990 is no longer available?
Any tips or pointers on what's wrong here, or how to check a log on this?
Thanks in advance!
I am on 20.1.3-amd64 using snapshot-3000. Downloads are working as far I can check this in the logs (System Logs / General) and looks fine in IPS/Downloads tab.
Quote from: tech394 on April 01, 2020, 06:33:41 AM
Thank you for the great forum and all the help. First post here. I'm having a very similar issue as the op on this thread with the SNORT rules not downloading, only on Opnsense 20.1.3-amd64.
Configs:
snort_vrt.oinkcode = valid oinkcode from snort.org
snort_vrt.rulesfile = snortrules-snapshot-2990.tar.gz
Theory?
On snort.org, I see in the download section these which seem close:
snortrules-snapshot-2983.tar.gz
snortrules-snapshot-3000.tar.gz
I don't see snortrules-snapshot-2990.tar.gz.
Could it be that this 2990 is no longer available?
Any tips or pointers on what's wrong here, or how to check a log on this?
Thanks in advance!
Same issue here. I did try changing the snapshot to snortrules-snapshot-29151.tar.gz, but it made no difference. This is also on OPNsense 20.1.3-amd64.
ET telemetry and abuse.ch are downloading without any issues.
Changing to snortrules-snapshot-29160.tar.gz fixed this for me.
Just had the same issue with 20.1.4. Snortrules version by @scyto worked for me as well.
Hello,
I've just enabled the IDS/IPS and by enabling all the default 'Rulesets' I get more than 57K rules and I haven't installed the snort plugin, so my question is: if I use snort, do I also need all those other Rulesets or I can just keep snort ?
Tia.
I had problems downloading rules until I realised that the links are posted in two places on the site and unfortunately posting one version didn't work with a "cut and paste"
Thanks for posting the fix! Just an FYI, it looks like snortrules-snapshot-29161.tar.gz also works.
Quick one: do I have to manually type the snort_vrt.rulesfile anytime there is a new version or there is a way for OPNsense to update that automatically ?
The Snort Rules:ET Pro and Snort VRT are not installed
Error info:
Error reconfiguring IDS
Error(1)
The same with me ,need latest config for Intrusion Detection and Prevention.
Thank you!
mistake, sorry
Quote from: hushcoden on September 04, 2020, 12:32:13 PM
Quick one: do I have to manually type the snort_vrt.rulesfile anytime there is a new version or there is a way for OPNsense to update that automatically ?
good question, it looks like you have to update the string by your self. If opnsense update the file string, they do it rarely.
Between 29151 and 2983 (2021-03-10) are 4 Versions
Can you use the ruleset for snort v3.0 ? Any benefits in comparison with the v2.9 rules?