Snort mailing list archives

Re: still having download problems

From: JJC <cummingsj () gmail com>
Date: Thu, 1 Jul 2010 09:03:03 -0600

Ok, well that rules those two out... yes, what distro are we all running
that is having issues so that I can see if I can't reproduce!

On Thu, Jul 1, 2010 at 9:02 AM, Crook, Parker <Parker_Crook () reyrey com>wrote:

 JJ,



I just upgraded my LWP::Simple to 5.836 and still having this issue.  I
also ran update-ca-certificates to cover that base.  Just curious, is this
only happening on Debain and Debain-based distros?



-Parker



P.S.  If I am still having an issue on this, I will setup a lab at home
tonight to test this out on OS X, Debian, and if someone is having issues on
another distro, let me know and I’ll see if can’t test it out there too.
 ------------------------------

*From:* JJC [mailto:cummingsj () gmail com]
*Sent:* Thursday, July 01, 2010 10:51 AM
*To:* John York
*Cc:* snort-sigs () lists sourceforge net
*Subject:* Re: [Snort-sigs] still having download problems



Do you know what version of LWP::SImple you are using?

On Thu, Jul 1, 2010 at 8:32 AM, John York <YorkJ () brcc edu> wrote:

I've updated to pulledpork 0.4.2 on my Ubuntu 8.04 box.  I also tried to
update the CA certs with apt-get, but they are already up to date.  When I
do a packet trace, I see the box go to Snort and ask for the rules.  Snort
replies that the rules have moved to s3.amazonaws.com.  At that point, my
box just gives up--I don't see any traffic where it even tries to connect
with amazon.  Any ideas?  I tried manually changing pp so it asked for
sub-rules instead of reg-rules, but both do the same thing.  The pp debug
output and https conversation are below, mangled to protect the oinkcode.

Thanks
John

PP debug

me@snort:~$ sudo apt-get install ca-certificates
[sudo] password for me:
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

me@snort:~$ sudo ./ppgo

 http://code.google.com/p/pulledpork/
     _____ ____
    `----,\    )
     `--==\\  /    Pulled_Pork v0.4.2
      `--==\\/
    .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
 @_/        /  66\_  cummingsj () gmail com
   |    \   \   _(")
    \   /-| ||'--'  Rules give me wings!
     \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Variable Debug:
       Config Path is:
/home/bryorkj/snortrules/pulledpork/etc/pulledpork.conf
       Path to disablesid file:
/home/bryorkj/snortrules/pulledpork/etc/disablesid.conf
       Verbose Flag is Set
       Extra Verbose Flag is Set
Config File Variable Debug
/home/bryorkj/snortrules/pulledpork/etc/pulledpork.conf
       snort_path = /usr/local/bin/snort
       pid_path = /var/run/snortd.pid
       rule_path = /usr/local/etc/snort/rules/snort.rules
       ignore = deleted,experimental,local
       rule_file = snortrules-snapshot-2860.tar.gz
       sid_changelog = /var/log/sid_changes.log
       sid_msg = /usr/local/etc/snort/sid-msg.map
       config_path = /usr/local/etc/snort/snort.conf
       sostub_path = /usr/local/etc/snort/rules/so_rules.rules
       oinkcode = 7025mangle-mangle7813
       temp_path = /tmp
       distro = Ubuntu-8.04
       base_url = http://www.snort.org/
       sorule_path = /usr/local/lib/snort_dynamicrules/
       version = 0.4.2
       disablesid = /usr/local/etc/snort/disablesid.conf
       local_rules = /usr/local/etc/snort/rules/local.rules
Checking latest MD5....
       Fetching md5sum for: snortrules-snapshot-2860.tar.gz.md5
       most recent rules file digest: d8b7b694e4f21b7406e3c86a32b362bf
Rules tarball download....
       Fetching rules file: snortrules-snapshot-2860.tar.gz
       Error 501 when fetching snortrules-snapshot-2860.tar.gz at
/home/bryorkj/snortrules/pulledpork/pulledpork.pl line 264.
       going to get this url:
http://www.snort.org/sub-rules/snortrules-snapshot-2860.tar.gz/7025mangle-mangle7813


HTTP conversation

GET /sub-rules/snortrules-snapshot-2860.tar.gz/7025mangle-mangle7813
HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.snort.org
User-Agent: LWP::Simple/5.820

HTTP/1.0 302 Moved Temporarily
Date: Thu, 01 Jul 2010 13:57:15 GMT
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
X-Runtime: 448
Cache-Control: no-cache
Set-Cookie:
_radiant_session=BAh7BjoPmangle-mangleDhmNDA%3D--777377mangle-mangled8cc;
path=/; HttpOnly
Location:
https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangleQ&Expires=1277992665&Signature=mangle-mangle3D
Content-Length<https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangleQ&Expires=1277992665&Signature=mangle-mangle3D%0d%0aContent-Length>:
251
Status: 302
Content-Type: text/html; charset=utf-8
X-Cache: MISS from web610.br.vccs.edu
Via: 1.0 web610.br.vccs.edu:8080 (http_scan/4.0.2.6.19)
Connection: close

<html><body>You are being <a href="
https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangle&amp;Expires=1277992665&amp;Signature=7ZFmangle-mangle4%3D<https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangle&Expires=1277992665&Signature=7ZFmangle-mangle4%3D>
">redirected</a>.</body></html>




------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

still having download problems John York (Jul 01)
- Re: still having download problems JJC (Jul 01)
  - Re: still having download problems Crook, Parker (Jul 01)
    - Re: still having download problems JJC (Jul 01)
    - Re: still having download problems Joel Esler (Jul 01)
    - Re: still having download problems JJC (Jul 01)
    - Re: still having download problems John York (Jul 01)