Snort Rules - not installed

Started by Ultra, January 04, 2020, 02:09:05 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
January 04, 2020, 02:09:05 AM
Hi guys,
first I really appreciate your help. Thanks for your time in trying to solve my problem.

I will make it short.

As you can see in the Screenshot I have trouble to install the Snort rules. These rules are enabled but somehow not installed. I really don't know what's wrong.

What I've done so far:
- installed plugin "os-intrusion-detection-content-snort-vrt"
- got Oink code from Snort
- set Oink code in Opnsense
- checked all HW-Offloading settings in "Interfaces: Settings"
  - Disable hardware checksum offload
  - Disable hardware TCP segmentation offload
  - Disable hardware large receive offload

Please help me to enable the snort rules. I ahve no trouble with the other availible rulesets:
- ET Pro Telemetry Edition (os-etpro-telemetry)
- IDS PT Research ruleset (only for non-commercial use) (os-intrusion-detection-content-pt-open)

https://ibb.co/SrQp0jv
January 10, 2020, 02:31:38 PM #1 Last Edit: January 10, 2020, 02:41:12 PM by julien_
Same issue with the latest version, See attachements

Maybe the python upgrade caused the scripts to fail?

See Log:
Code Select

Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 kernel: hn1: a looped back NS message is detected during DAD for fe80:6::215:5dff:fe00:8431. Another DAD probes are being sent.
Jan 10 14:36:54 kernel: hn0: a looped back NS message is detected during DAD for fe80:5::215:5dff:fe00:8430. Another DAD probes are being sent.
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:54 /rule-updater.py: download failed for https://www.snort.org/rules/snortrules-snapshot-2990.tar.gz?oinkcode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX(http_code: 429)
Jan 10 14:36:53 /rule-updater.py: download completed for https://urlhaus.abuse.ch/downloads/ids/
Jan 10 14:36:52 /rule-updater.py: download completed for https://feodotracker.abuse.ch/downloads/feodotracker.rules
Jan 10 14:36:52 /rule-updater.py: download completed for https://sslbl.abuse.ch/blacklist/sslipblacklist.rules
Jan 10 14:36:52 /rule-updater.py: download completed for https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules
January 13, 2020, 09:26:01 PM #2
I've updated to the lates version 19.7.9 (installed) and now it works as expected!
April 01, 2020, 06:33:41 AM #3 Last Edit: April 01, 2020, 06:42:00 AM by tech394
Thank you for the great forum and all the help. First post here. I'm having a very similar issue as the op on this thread with the SNORT rules not downloading, only on Opnsense 20.1.3-amd64.

Configs:
snort_vrt.oinkcode = valid oinkcode from snort.org
snort_vrt.rulesfile = snortrules-snapshot-2990.tar.gz

Theory?
On snort.org, I see in the download section these which seem close:
snortrules-snapshot-2983.tar.gz
snortrules-snapshot-3000.tar.gz

I don't see snortrules-snapshot-2990.tar.gz.
Could it be that this 2990 is no longer available?

Any tips or pointers on what's wrong here, or how to check a log on this?

Thanks in advance!

April 01, 2020, 09:59:43 AM #4
I am on 20.1.3-amd64 using snapshot-3000. Downloads are working as far I can check this in the logs (System Logs / General) and looks fine in IPS/Downloads tab.
April 05, 2020, 12:15:53 AM #5 Last Edit: April 05, 2020, 12:22:55 AM by SolarAxix
Quote from: tech394 on April 01, 2020, 06:33:41 AM
Thank you for the great forum and all the help. First post here. I'm having a very similar issue as the op on this thread with the SNORT rules not downloading, only on Opnsense 20.1.3-amd64.

Configs:
snort_vrt.oinkcode = valid oinkcode from snort.org
snort_vrt.rulesfile = snortrules-snapshot-2990.tar.gz

Theory?
On snort.org, I see in the download section these which seem close:
snortrules-snapshot-2983.tar.gz
snortrules-snapshot-3000.tar.gz

I don't see snortrules-snapshot-2990.tar.gz.
Could it be that this 2990 is no longer available?

Any tips or pointers on what's wrong here, or how to check a log on this?

Thanks in advance!
Same issue here. I did try changing the snapshot to snortrules-snapshot-29151.tar.gz, but it made no difference. This is also on OPNsense 20.1.3-amd64.

ET telemetry and abuse.ch are downloading without any issues.

April 20, 2020, 09:09:28 AM #6
Changing to snortrules-snapshot-29160.tar.gz fixed this for me.
April 21, 2020, 02:11:04 AM #7
Just had the same issue with 20.1.4. Snortrules version by @scyto worked for me as well.
May 03, 2020, 11:24:42 PM #8
Hello,

I've just enabled the IDS/IPS and by enabling all the default 'Rulesets' I get more than 57K rules and I haven't installed the snort plugin, so my question is: if I use snort, do I also need all those other Rulesets or I can just keep snort ?

Tia.
August 28, 2020, 07:02:26 AM #9
I had problems downloading rules until I realised that the links are posted in two places on the site and unfortunately posting one version didn't work with a "cut and paste"
August 29, 2020, 12:40:11 AM #10
Thanks for posting the fix!  Just an FYI, it looks like snortrules-snapshot-29161.tar.gz also works.
September 04, 2020, 12:32:13 PM #11
Quick one: do I have to manually type the snort_vrt.rulesfile anytime there is a new version or there is a way for OPNsense to update that automatically ?
September 05, 2020, 02:25:11 PM #12 Last Edit: September 12, 2020, 06:14:18 AM by tudou
The Snort Rules:ET Pro and Snort VRT are not installed
Error info:
Error reconfiguring IDS
Error(1)

The same with me ,need latest config for Intrusion Detection and Prevention.
Thank you!
March 10, 2021, 05:41:31 PM #13 Last Edit: March 10, 2021, 05:43:17 PM by kinch
mistake, sorry
March 10, 2021, 05:42:46 PM #14
Quote from: hushcoden on September 04, 2020, 12:32:13 PM
Quick one: do I have to manually type the snort_vrt.rulesfile anytime there is a new version or there is a way for OPNsense to update that automatically ?

good question, it looks like you have to update the string by your self. If opnsense update the file string, they do it rarely.

Between 29151 and 2983 (2021-03-10) are 4 Versions
Print
Go Up Pages1 2
User actions