Snort mailing list archives
Re: rule download problem
From: Franklin Jones <grat () wyldwood com>
Date: Thu, 01 Jul 2010 12:45:32 -0600
JJC wrote: This also applies to older RHE. 4.8 in my case. thanks for the point JJ. fj..
Ok, this seems to be an issue that stems from the fact that this version of Ubuntu does not have some required perl modules (even though if installed from CPAN they are dependencies) The short of it is that you need Crypt::SSLeay and for whatever reason the maintainers did not include this dependency... but I'm not gonna get into that discussion today. The following will fix the problem in Ubuntu. apt-get install libcrypt-ssleay-perl Other required modules, if you don't have them (from the repos, not CPAN) are: libwww-perl libarchive-tar-perl (Archive::Tar) And of course you also need to be sure that all of your root certs are up to date (I know that this has been covered, but I am covering again for the sake of completeness: sudo apt-get install ca-certificates sudo update-ca-certificates That should just about cover it.. all of the reports were from Ubuntu 8x x66_64 and so fourth... JJC On Wed, Jun 30, 2010 at 5:39 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com <mailto:Shawn.Jefferson () bcferries com>> wrote: Hi, No, this is a new installation. I am using Oinkmaster but thought this might be a good opportunity to upgrade to pulled pork. A packet capture shows the download of the md5 working properly, but the download of the rules file gets a 302 redirect, and then nothing else. Pulled Pork doesn’t follow the redirect maybe? ------------------------------------------------------------------------ *From:* Joel Esler [mailto:jesler () sourcefire com <mailto:jesler () sourcefire com>] *Sent:* Wednesday, June 30, 2010 4:36 PM *To:* Jefferson, Shawn *Cc:* Crook, Parker; snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> *Subject:* Re: [Snort-users] rule download problem Are you using the pulledpork.conf file from your old pulledpork installation? Can't do that. On Jun 30, 2010, at 7:31 PM, Jefferson, Shawn wrote: What was the solution to this? I’m trying to setup Pulled Pork using the new download location and am getting the same error (501) when trying to download the tar.gz file. Checking latest MD5.... Fetching md5sum for: snortrules-snapshot-2853.tar.gz.md5 most recent rules file digest: aa012e45a5756acabb0e8c31e862f336 Rules tarball download.... Fetching rules file: snortrules-snapshot-2853.tar.gz Error 501 when fetching snortrules-snapshot-2853.tar.gz at ./pulledpork.pl <http://pulledpork.pl> line 261. Do I have the right settings? rule_file = snortrules-snapshot-2853.tar.gz base_url = http://www.snort.org/sub-rules version = 0.4.2 ------------------------------------------------------------------------ *From:* Crook, Parker [mailto:Parker_Crook () reyrey com <mailto:Parker_Crook () reyrey com>] *Sent:* Tuesday, June 29, 2010 8:35 AM *To:* 'JJC'; John York *Cc:* snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> *Subject:* Re: [Snort-users] rule download problem JJ, I’ve waited the morning out to see if this would clear up, but I’ve been ping-ponging back and forth between 501 and 403 errors when using the Pulled Pork svn to try and download the new rules. Below is the verbose output… any words of advice here? snort-lab:/etc/snort/pulledpork# ./pulledpork.pl <http://pulledpork.pl> -c etc/pulledpork.conf -vv http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / Pulled_Pork v0.4.2 `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings @_/ / 66\_ cummingsj () gmail com <mailto:cummingsj () gmail com> | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Variable Debug: Config Path is: etc/pulledpork.conf Verbose Flag is Set Extra Verbose Flag is Set Config File Variable Debug etc/pulledpork.conf snort_path = /usr/local/bin/snort pid_path = /var/run/snort_eth0.pid rule_path = /etc/snort/rules/snort.rules ignore = deleted,experimental,local rule_file = snortrules-snapshot-2860.tar.gz sid_changelog = /var/log/sid_changes.log sid_msg = /etc/snort/sid-msg.map config_path = /etc/snort/snort.conf sostub_path = /etc/snort/rules/so_rules.rules oinkcode = <oinkcode obfuscated> temp_path = /tmp distro = Debian-Lenny base_url = http://www.snort.org/ sorule_path = /usr/local/lib/snort_dynamicrules/ version = 0.4.2 disablesid = /usr/local/etc/snort/disablesid.conf local_rules = /etc/snort/rules/local.rules Checking latest MD5.... Fetching md5sum for: snortrules-snapshot-2860.tar.gz.md5 most recent rules file digest: b3cb777fac21999675e8cf5696865fa5 current local rules file digest: 4a7877208481756881a66f7cadcff98b The MD5 for snortrules-snapshot-2860.tar.gz did not match the latest digest... so I am gonna fetch the latest rules file! Rules tarball download.... Fetching rules file: snortrules-snapshot-2860.tar.gz Error 501 when fetching snortrules-snapshot-2860.tar.gz at ./pulledpork.pl <http://pulledpork.pl> line 262. -Parker ------------------------------------------------------------------------ *From:* JJC [mailto:cummingsj () gmail com <mailto:cummingsj () gmail com>] *Sent:* Tuesday, June 29, 2010 10:32 AM *To:* John York *Cc:* snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> *Subject:* Re: [Snort-users] rule download problem The rule download location has changed, you will want to get the latest version of pulledpork from svn (0.4.2) or wait until the tarball is released shortly. JJC On Tue, Jun 29, 2010 at 7:25 AM, John York <YorkJ () brcc edu <mailto:YorkJ () brcc edu>> wrote: I've been using PulledPork (v 0.4.1 Stumbling Leprechaun) to get my rules, but in the last week or so it has started giving this error: Error 403 when fetching http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2860_s.tar.gz.md5 at /home/xxxx/snortrules/pulledpork/pulledpork.pl <http://pulledpork.pl> line 306 It does this even if I wait several hours between attempts, so I don't think the 15 min limit is involved. These are the applicable lines from the conf file: base_url=http://www.snort.org/pub-bin/oinkmaster.cgi rule_file=snortrules-snapshot-2860_s.tar.gz My subscription is up to date--I can log in to the web site and download the rules ok. Any ideas? Thanks John ------------------------------------------------------------------------------ This SF.net <http://SF.net> email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first <http://sprint.com/first> -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ This SF.net <http://SF.net> email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first <http://sprint.com/first> -- http://p.sf.net/sfu/sprint-com-first_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first <http://sprint.com/first> -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: rule download problem JJC (Jul 01)
- <Possible follow-ups>
- Re: rule download problem JJC (Jul 01)
- Re: rule download problem Crook, Parker (Jul 01)
- Re: rule download problem Franklin Jones (Jul 01)
- Re: rule download problem Jefferson, Shawn (Jul 02)
- Re: rule download problem JJ Cummings (Jul 02)