ids-update.pl fails to get Talos VRT rules from snort.org after upgrading to Core 127. The issue is with the file name string used to read the md5 file at the snort server. The snort server expects a five digit value for version string as part of the file name when fetching rules for Snort 2.9.12. It expects the value with a trailing zero -- "29120". The current version of ids-update.pl produces the version string as "2912" -- without the trailing zero.
/var/log/messages shows idsupdate getting error fetching fie:
- <snort.org>/rules/snortrules-snapshot-2912.tar.gz.md5
- <snort.org>/rules/snortrules-snapshot-29120.tar.gz.md5
To get ids updates working for me, I added this (perhaps inelegant) bit of syntax at line 1100 of my local copy of ids-update.pl
Code: Select all
# If version string is less than 5 bytes, append a '0' to it
$vrt_v .= '0' if(length($vrt_v) < 5);