Snort mailing list archives
Re: Oinkmaster can't get rules
From: JJC <cummingsj () gmail com>
Date: Wed, 14 Jul 2010 12:44:15 -0600
There are a number of benefits, so rules being a big one! Others include md5 verification, flow bit tracking, complex rulestate modification capabilities, capability to define a base ruleset... Just to mention a few! Oh, it's also faster :-) JJC Sent from my iPad On Jul 14, 2010, at 6:50 AM, Joel Esler <jesler () sourcefire com> wrote:
Huge. If I had to pick one feature, it would be that pulledpork handles the SO rules, and oinkmaster does not. But there are a lot more features than that, maybe JJ can chime in and highlight some others if you guys want. -- Sent from my iPad On Jul 14, 2010, at 8:22 AM, James Lay <jlay () slave-tothe-box net> wrote:LoL...sure why not add more to the fun ;) Is there THAT much of a difference between the two? JamesFrom: Joel Esler <jesler () sourcefire com> Date: Tue, 13 Jul 2010 14:05:27 -0400 To: James Lay <jlay () slave-tothe-box net> Cc: Snort <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Oinkmaster can't get rules For those of you trying to use Oinkmaster. You might want to think about converting over to PulledPork as well, as long as you are doing the work :) On Jul 13, 2010, at 2:00 PM, James Lay wrote:I'm still having issues with Slackware 12.1. Verisign certs are in /etc/ssl/certs: /etc/ssl/certs$] ls Verisign* Verisign_Class_1_Public_Primary_Certification_Authority.crt Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt Verisign_Class_2_Public_Primary_Certification_Authority.crt Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt Verisign_RSA_Secure_Server_CA.crt Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt Verisign_Time_Stamping_Authority_CA.crt Verisign_Class_3_Public_Primary_Certification_Authority.crt OpenSSL is complied to point to /etc/ssl as the default dir. Crypt::SSLeay is up to date: cpan> install Crypt::SSLeay Crypt::SSLeay is up to date. Still seeing this: wget http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-2860.tar .gz --2010-07-13 11:52:15-- http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-2860.tar .gz Resolving www.snort.org... 68.177.102.20 Connecting to www.snort.org|68.177.102.20|:80... connected. HTTP request sent, awaiting response... 302 Found Location: https://s3.amazonaws.com/snort.org/rules/20100610/snortrules-snapshot-2860.ta r.gz?&Expires=1279043570&Signature= [following] --2010-07-13 11:52:17-- https://s3.amazonaws.com/snort.org/rules/20100610/snortrules-snapshot-2860.ta r.gz?&Expires=1279043570&Signature= Resolving s3.amazonaws.com... 207.171.185.197 Connecting to s3.amazonaws.com|207.171.185.197|:443... connected. ERROR: cannot verify s3.amazonaws.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2': Unable to locally verify the issuer's authority. To connect to s3.amazonaws.com insecurely, use `--no-check-certificate'. Unable to establish SSL connection. I'm about to just change oinkmaster.pl to --no-check-certificate, but I'd like to get this to work with SSL. Have to admit...sure would have been nice to know this was taking place..maybe I didn't look hard enough onilne. JamesI don't know how to correct these problems on Windows. Maybe another Windows user can chime in here, but I haven't used Windows since about 2003. On Jul 13, 2010, at 10:31 AM, Alejandro Cabrera Obed wrote:Now I get this error message when downloading the rules with oinkmaster.pl: Loading Perl modules. Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot- 2853.tar.gz... Proxy must be specified as absolute URI; '10.4.1.10:8080' is not at c:\oinkmaster-2.0\oinkmaster.pl line 936 What can I do ??? My HTTP_proxy variable is an environment variable set up in Windows... Special thanks 2010/7/12 Joel Esler <jesler () sourcefire com>:The --no-check-certificate problem is a result of having old CA Certificates on your box. Please read the snort-users archive, like this: http://marc.info/?l=snort-users&m=127791856110280&w=2 Joel On Jul 12, 2010, at 9:45 PM, Alejandro Cabrera Obed wrote:In my Windows I put these two environment variables: HTTP_proxy = http://10.10.2.1 HTTPS_proxy = https://10.10.12.1 (and later http://10.10.12.1) But I continue receiveing the error: oinkmaster.pl: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi /*my_oinkcode*/snortrules-snapshot-2853.tar.gz: 500 Can't connect to s3.amazonaws.com:443 (Bad hostname 's3.amazonaws.com') If I download the rules from my web browser I succeed !!! Any idea ??? Thanks again. 2010/7/12 James Lay <jlay () slave-tothe-box net>:From: Fábio Ferrão <ferrao04 () gmail com> Date: Thu, 8 Jul 2010 10:07:33 -0300 To: Snort <snort-users () lists sourceforge net> Subject: [Snort-users] Oinkmaster can't get rules <snip> [prompt]# /usr/local/bin/oinkmaster -o /usr/local/snort/rules/rules > /home/suporte/oinkmaster.update Loading /usr/local/etc/oinkmaster.conf Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh ot-2853.tar.gz... /usr/local/bin/oinkmaster: Error: could not download from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh ot-2853.tar.gz. Output from wget follows: http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh ot-2853.tar.gzResolving www.snort.org... 68.177.102.20 Connecting to www.snort.org <http://www.snort.org> |68.177.102.20|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2010-07-06 13:18:43 ERROR 403: Forbidden. <snip> I am receiving exactly the same thing, even though I’ve modified my my oinkmaster.pl to reflect the —no-check-certificate. It seems like sometime a redirect doesn’t fire since I get to 68.177.102.20, and instead of the 302 redirect, simply a 403 and dumped. Anyone else besides myself and the OP seeing this? Thanks. James ------------------------------------------------------------------------ ------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Alejandro Cabrera Obed aco1967 () gmail com www.alejandrocabrera.com.ar ------------------------------------------------------------------------- ----- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Alejandro Cabrera Obed aco1967 () gmail com www.alejandrocabrera.com.ar---------------------------------------------------------------------------- -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Oinkmaster can't get rules, (continued)
- Re: Oinkmaster can't get rules Joel Esler (Jul 08)
- Re: Oinkmaster can't get rules James Lay (Jul 12)
- Re: Oinkmaster can't get rules Alejandro Cabrera Obed (Jul 12)
- Re: Oinkmaster can't get rules Joel Esler (Jul 12)
- Re: Oinkmaster can't get rules Alejandro Cabrera Obed (Jul 13)
- Re: Oinkmaster can't get rules Joel Esler (Jul 13)
- Re: Oinkmaster can't get rules James Lay (Jul 13)
- Re: Oinkmaster can't get rules Joel Esler (Jul 13)
- Re: Oinkmaster can't get rules James Lay (Jul 14)
- Re: Oinkmaster can't get rules Joel Esler (Jul 14)
- Re: Oinkmaster can't get rules JJC (Jul 14)
- Re: Oinkmaster can't get rules Jefferson, Shawn (Jul 19)
- oinkmaster vs pulledpork was (Oinkmaster can't get rules) Russell Fulton (Jul 19)
- Re: oinkmaster vs pulledpork was (Oinkmaster can't get rules) JJC (Jul 19)
- Re: oinkmaster vs pulledpork was (Oinkmaster can't get rules) Mike Lococo (Jul 19)
- Re: oinkmaster vs pulledpork was (Oinkmaster can't get rules) Joel Esler (Jul 19)
- Re: oinkmaster vs pulledpork was (Oinkmaster can't get rules) Mike Lococo (Jul 20)
- RESOLVED Re: Oinkmaster can't get rules James Lay (Jul 15)
- Re: RESOLVED Re: Oinkmaster can't get rules Joel Esler (Jul 15)
- Re: RESOLVED Re: Oinkmaster can't get rules Nigel Houghton (Jul 15)
- Re: RESOLVED Re: Oinkmaster can't get rules James Lay (Jul 16)