[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Subscription Rule Download Fails
From: "Kim Premuda" <kim () armsd ! com>
Date: 2020-07-06 22:08:57
Message-ID: 003501d653e2$0c30b000$24921000$ () armsd ! com
[Download RAW message or body]
This is a multipart message in MIME format.
[Attachment #2 (multipart/related)]
This is a multipart message in MIME format.
[Attachment #4 (multipart/alternative)]
Hello, Joel.
I was looking for the definition of 422 and could not find one. So, thank you for \
that. And, you are correct…the filename I entered was wrong having an extra hyphen. \
Lately, I have been doing a fair amount of coding in CSS .less, and, most likely, \
introduced the extra hyphen without realizing that I did it.
Someone else pointed out that Suricata and the Snort rule set do not mesh well. I \
have the option in pfSense to uninstall the Suricata service and install the Snort \
service. I may experiment with both systems to see which one works best for us.
Thanks for your help!
Kim W. Premuda
*619-596-9404 Office 858-487-1400 Cell * <mailto:kim@armsd.com> kim@armsd.com \
* <http://www.armsd.com/> www.armsd.com
From: Joel Esler (jesler) <jesler@cisco.com>
Sent: Monday, July 6, 2020 5:39 AM
To: Kim Premuda <kim@armsd.com>
Cc: snort-sigs@lists.snort.org
Subject: Re: [Snort-sigs] Subscription Rule Download Fails
Hello Kim,
422 means the file doesn't exist, your filename looks to be wrong. \
snortrules-snapshot-29160.tar.gz should be correct.
Also, Suricata is not fully compatible with the Snort rules language, so your results \
may vary.
--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com | https://www.snort.org
On Jul 4, 2020, at 5:27 PM, Kim Premuda <kim@armsd.com <mailto:kim@armsd.com> > \
wrote:
pfSense 2.4.5
Suricata 5.0.2_3
Snort subscriber rules
I purchased thee $399 rule subscription but seem to be having trouble getting the \
subscription rules to download. A month or so prior to the purchase, I was using the \
Snort GPLv2 Community rules which downloaded/updated with no problem...and still do, \
since I reverted back to them. For the subscription rules in Suricata, I enter the \
following:
Snort Rules Filename: snort-rules-snapshot-29160.tar.gz
Snort Oinkmaster Code: ***************
Install Snort GPLv2 Community rules: disabled
and save the changes. When I update the rules, I get the following log message:
Downloading Snort VRT rules md5 file...
Snort VRT rules md5 download failed.
Server returned error code 422.
Server error message was:
Snort VRT rules will not be updated.
Things that I tried to get the download to work (from various Internet searches):
Disabled all rules except for the Snort subscription rules.
Removed pfBlockerNG (I wasn't using it).
Regenerated the Oinkmaster code.
Restarted Suricata services.
Rebooted pfSense.
I am technically competent, however, pfSense, Suricata, and Snort rules are \
relatively new to me (about 2 months experience). So, I am reaching out for help, \
because I am not understanding why the download fails. Thank you in advance for any \
assistance you may provide.
Kim Premuda
_______________________________________________
Snort-sigs mailing list
<mailto:Snort-sigs@lists.snort.org> Snort-sigs@lists.snort.org
<https://lists.snort.org/mailman/listinfo/snort-sigs> \
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit <http://blog.snort.org/> http://blog.snort.org for the latest news \
about Snort!
Please follow these rules: \
<https://snort.org/faq/what-is-the-mailing-list-etiquette> \
https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the <http://snort.org/> Snort.org to subscribe to the official Snort ruleset, \
make sure to stay up to date to catch the most <a href=" \
<https://snort.org/downloads/#rule-downloads> \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
[Attachment #7 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type \
content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 \
(filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);} o\:* \
{behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal><span style='font-size:12.0pt'>Hello, \
Joel.<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span \
style='font-size:12.0pt'>I was looking for the definition of 422 and could not find \
one. So, thank you for that. And, you are correct…the filename I entered was wrong \
having an extra hyphen. Lately, I have been doing a fair amount of coding in CSS \
.less, and, most likely, introduced the extra hyphen without realizing that I did \
it.<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span \
style='font-size:12.0pt'>Someone else pointed out that Suricata and the Snort rule \
set do not mesh well. I have the option in pfSense to uninstall the Suricata service \
and install the Snort service. I may experiment with both systems to see which one \
works best for us.<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span \
style='font-size:12.0pt'>Thanks for your help!<o:p></o:p></span></p><p \
class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><div><p \
class=MsoNormal><span style='font-size:12.0pt'>Kim W. Premuda<o:p></o:p></span></p><p \
class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><img width=163 height=62 \
style='width:1.6979in;height:.6458in' id="_x0030_76d82e8-1778-4ddb-841b-176b0bb1cbaf" \
src="cid:image001.png@01D653A7.5EFB7530"><o:p></o:p></p><p class=MsoNormal><span \
style='font-size:12.0pt;font-family:Wingdings;color:#0F243E'>(</span><span \
style='font-size:12.0pt'>619-596-9404 Office </span><span \
style='color:#2961EF'><img width=18 height=18 style='width:.1875in;height:.1875in' \
id="_x0033_4e16f77-14bb-4f3c-af70-4a8d1513dce2" \
src="cid:image003.png@01D653A6.32FF7F90"></span><span \
style='font-size:12.0pt'>858-487-1400 Cell </span><span \
style='font-size:12.0pt;font-family:Wingdings;color:#0F243E'>*</span><span \
style='font-size:12.0pt'><a href="mailto:kim@armsd.com"><span \
style='color:#0563C1'>kim@armsd.com</span></a> </span><span \
style='font-size:12.0pt;font-family:Wingdings;color:#0F243E'>:</span><span \
style='font-size:12.0pt;color:#0F243E'><a href="http://www.armsd.com/"><span \
style='color:#0563C1'>www.armsd.com</span></a></span><span \
style='font-size:12.0pt'><o:p></o:p></span></p><p \
class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><span \
style='font-size:12.0pt'><o:p> </o:p></span></p><div><div \
style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p \
class=MsoNormal><b>From:</b> Joel Esler (jesler) <jesler@cisco.com> \
<br><b>Sent:</b> Monday, July 6, 2020 5:39 AM<br><b>To:</b> Kim Premuda \
<kim@armsd.com><br><b>Cc:</b> snort-sigs@lists.snort.org<br><b>Subject:</b> Re: \
[Snort-sigs] Subscription Rule Download Fails<o:p></o:p></p></div></div><p \
class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Hello \
Kim,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p \
class=MsoNormal>422 means the file doesn't exist, your filename looks to be wrong. \
snortrules-snapshot-29160.tar.gz should be correct.<o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Also, Suricata is \
not fully compatible with the Snort rules language, so your results may \
vary.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p \
class=MsoNormal>-- <o:p></o:p></p></div><div><p class=MsoNormal>Joel \
Esler<o:p></o:p></p></div><div><p class=MsoNormal>Manager, Communities \
Division<o:p></o:p></p></div><div><p class=MsoNormal>Cisco Talos Intelligence \
Group<o:p></o:p></p></div><div><p class=MsoNormal><a \
href="http://www.talosintelligence.com">http://www.talosintelligence.com</a> | <a \
href="https://www.snort.org">https://www.snort.org</a><o:p></o:p></p></div><div><p \
class=MsoNormal><br><br><o:p></o:p></p><blockquote \
style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Jul 4, 2020, \
at 5:27 PM, Kim Premuda <<a href="mailto:kim@armsd.com">kim@armsd.com</a>> \
wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p \
class=MsoNormal><span style='font-size:12.0pt'>pfSense \
2.4.5</span><o:p></o:p></p></div><div><p class=MsoNormal><span \
style='font-size:12.0pt'>Suricata 5.0.2_3</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span style='font-size:12.0pt'>Snort subscriber \
rules</span><o:p></o:p></p></div><div><p class=MsoNormal><span \
style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p \
class=MsoNormal><span style='font-size:12.0pt'>I purchased thee $399 rule \
subscription but seem to be having trouble getting the subscription rules to \
download. A month or so prior to the purchase, I was using the Snort GPLv2 Community \
rules which downloaded/updated with no problem...and still do, since I reverted back \
to them. For the subscription rules in Suricata, I enter the \
following:</span><o:p></o:p></p></div><div><p class=MsoNormal><span \
style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> \
Snort Rules Filename: \
snort-rules-snapshot-29160.tar.gz</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> \
Snort Oinkmaster Code: ***************</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> \
Install Snort GPLv2 Community rules: disabled</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p \
class=MsoNormal><span style='font-size:12.0pt'>and save the changes. When I update \
the rules, I get the following log message:</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p \
class=MsoNormal><span style='font-size:12.0pt'>Downloading Snort VRT rules md5 \
file...</span><o:p></o:p></p></div><div><p class=MsoNormal><span \
style='font-size:12.0pt'> \
Snort VRT rules md5 download failed.</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> \
Server returned error code 422.</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> \
Server error message was:<span \
class=apple-converted-space> </span></span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> \
Snort VRT rules will not be updated.</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p \
class=MsoNormal><span style='font-size:12.0pt'>Things that I tried to get the \
download to work (from various Internet searches):</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> \
Disabled all rules except for the Snort subscription \
rules.</span><o:p></o:p></p></div><div><p class=MsoNormal><span \
style='font-size:12.0pt'> \
Removed pfBlockerNG (I wasn't using it).</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> \
Regenerated the Oinkmaster code.</span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> \
Restarted Suricata services.</span><o:p></o:p></p></div><div><p class=MsoNormal><span \
style='font-size:12.0pt'> \
Rebooted pfSense.</span><o:p></o:p></p></div><div><p class=MsoNormal><span \
style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p \
class=MsoNormal><span style='font-size:12.0pt'>I am technically competent, however, \
pfSense, Suricata, and Snort rules are relatively new to me (about 2 months \
experience). So, I am reaching out for help, because I am not understanding why the \
download fails. Thank you in advance for any assistance you may \
provide.</span><o:p></o:p></p></div><div><p class=MsoNormal><span \
style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p \
class=MsoNormal><span \
style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p \
class=MsoNormal><span style='font-size:12.0pt'>Kim \
Premuda</span><o:p></o:p></p></div><div><p \
class=MsoNormal> <o:p></o:p></p></div><div><p \
class=MsoNormal> <o:p></o:p></p></div><p class=MsoNormal><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>_______________________________________________<br>Snort-sigs \
mailing list<br></span><a href="mailto:Snort-sigs@lists.snort.org"><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>Snort-sigs@lists.snort.org</span></a><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'><br></span><a \
href="https://lists.snort.org/mailman/listinfo/snort-sigs"><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>https://lists.snort.org/mailman/listinfo/snort-sigs</span></a><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'><br><br>Please visit<span \
class=apple-converted-space> </span></span><a \
href="http://blog.snort.org/"><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>http://blog.snort.org</span></a><span \
class=apple-converted-space><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'> </span></span><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>for the latest news about \
Snort!<br><br>Please follow these rules:<span \
class=apple-converted-space> </span></span><a \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette"><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>https://snort.org/faq/what-is-the-mailing-list-etiquette</span></a><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'><br><br>Visit the<span \
class=apple-converted-space> </span></span><a href="http://snort.org/"><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>Snort.org</span></a><span \
class=apple-converted-space><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'> </span></span><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>to subscribe to the \
official Snort ruleset, make sure to stay up to date to catch the most <a \
href="<span class=apple-converted-space> </span></span><a \
href="https://snort.org/downloads/#rule-downloads"><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>https://snort.org/downloads/#rule-downloads</span></a><span \
style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>">emerging \
threats</a>!</span><o:p></o:p></p></div></blockquote></div><p \
class=MsoNormal><o:p> </o:p></p></div></body></html>
["image003.png" (image/png)]
["image001.png" (image/png)]
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic