Snort mailing list archives

Previous By Date Next
Previous By Thread Next

oinkcode not working for VRT rules

From: Eric Warren via Snort-users <snort-users () lists snort org>
Date: Tue, 25 Jul 2017 15:45:18 +0000 (UTC)
Hi all,  

I hope my request will benefit many of us because the problem I am encountering seems to be common.  And there also 
doesn't seem to be a be a conclusive answer at any official and unoffical forums/sites.  

I have been running Snort on Pfsense for five years with no problem whatsoever.  A few weeks ago I upgraded to Pfsense 
2.3.4 and Snort Version 2.9.9.0 GRE (Build 56).  

The other four rule sets that don't require an oinkcode download just fine.  But, for the last two weeks the VRT rules 
fail to load.  The logs from Snort read like this:


There is a new set of Snort VRT rules posted.
Downloading file 'snortrules-snapshot-2990.tar.gz'...
Snort VRT rules file download failed.  Server returned error 403.
The error text was: 403 Forbidden


The logs from Pfsense read like this:


[Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2990.tar.gz... 
[Snort] Rules download error: OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 60
snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
snort_check_for_rule_updates.php: File 'snortrules-snapshot-2990.tar.gz' download attempts: 2 ...
snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed... server returned error '403'...


I have been troubleshooting for two weeks and have investigated and factored out the following suspected problems 
and/or issues as possible sources of trouble:

1)   A member of the snort.org team assures me that my IP address is not being blocked/rejected/dropped
2)   DNS is working just fine, I tried all different combinations of DNS settings on host Pfsense machine including 
dropping the loopback
     127.0.0.1 address as suggested by one forum with the same failure result
3)   no TCP ports are being blocked
4)   my demarc (cable modem in this case) is set to pass all traffic
5)   /tmp file on host Pfsense machine is not too small and was increased as suggested by Pfsense official forum
6)   oinkcode was regenerated and copied carefully to no avail; even entered manually one time on the chance there is a 
formatting problem
7)   no changes to the default settings of host Pfsense machine or Snort, no custom rules were made in either
8)   I have tried regular and "forced" updates and at all different hours of the day and night as suggested by 
unofficial and official Pfsense 
      forums
9)   have logged into the host Pfsense machine from various remote machines with various operating systems and getting 
the same result  

By the way, I have discovered that the www is a mine field of malware and garbage websites promising "fixes" for those 
of us having this same problem.  Search: "oinkcode not working for VRT rules" and you will see.   

Any help out there?  I do not want to be a permanent resident in the Land of the Lost!  Thanks.  

-eaw
 

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: