Re: Error 422 with snortrules-snapshot-2972.tar.gz

["Joel Esler (jesler)" <jesler () cisco com>]

Judging by the download stats, no one reads my warnings on the blogs.  Then I put out the “EOL is coming with the next 
release” blog post, and suddenly the download stats turn upside down.


On Jun 26, 2015, at 3:03 PM, Andre DiMino <adimino () sempersecurus org<mailto:adimino () sempersecurus org>> wrote:

Thanks.  Those EOL keep sneaking up on me.

On Fri, Jun 26, 2015 at 1:42 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:
Hi Andre,

Looking at the URL for the rules, it seems you are requesting the 2970 tarball which is eol according to the website 
https://www.snort.org/eol.

YM

________________________________
Date: Fri, 26 Jun 2015 12:33:57 -0400
From: adimino () sempersecurus org<mailto:adimino () sempersecurus org>
To: jesler () cisco com<mailto:jesler () cisco com>
CC: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Error 422 with snortrules-snapshot-2972.tar.gz


Is anyone else seeing this issue?
I'm now getting Error 422 when downloading via pulledpork:

Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at 
/home/snortscan/snort_src/pulledpork-read-only/pulledpork.pl<http://pulledpork.pl/> line 482
main::md5file('234f6e519d1ce6e4fa1762e7f9bb7f31fd65b2de', 'snortrules-snapshot-2970.tar.gz', '/tmp/', 
'https://www.snort.org/reg-rules/&apos;) called at 
/home/snortscan/snort_src/pulledpork-read-only/pulledpork.pl<http://pulledpork.pl/> line 1875

I didn't see any problems with my pulledpork.conf as Scott observed.  This has worked reliably until now.

Andre'

On Mon, Jun 8, 2015 at 10:00 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:
You should probably swap step 3 and 2, since the links are verified after posting.  :)

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group
http://www.talosintel.com<http://www.talosintel.com/>

On Jun 8, 2015, at 9:58 AM, Scott Link <linksg () slu edu<mailto:linksg () slu edu>> wrote:

Figured it out.

In pulledpork.conf, the line starting with rule_url= had a space between the last pipe and our oinkcode. Deleted the 
space, re-ran, success!


Looking at the backup pulledpork.conf files, I see two consecutive days where the file was backed up. The code didn't 
change between the days and the only thing different is the addition of the space.

Weird.

So, got 422?:
Try wget on the expected URL. If still 422, escalate to snort.org<http://snort.org/>. If not 422, check pulledpork.conf 
for spurious rule_url entry.

Cheers,
Scott


On Fri, May 29, 2015 at 8:19 AM, Scott Link <linksg () slu edu<mailto:linksg () slu edu>> wrote:
Joel,

I have confirmed the oinkcode in pulledpork.conf matches what's in our account. When I first had this issue, I tried 
regenerating the code and updating pulledpork.conf and got the same result. Since then, I used wget to pull the ruleset 
and the file with the md5sum. I think that would also confirm I'm using a valid oinkcode.

Thanks,
Scott

On Fri, May 29, 2015 at 8:07 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:
Not sure what the issue is, I’m watching the logs on Snort.org<http://snort.org/> right now, and thousands of people 
seem to not be having a problem.  Is your oinkcode valid, no typos in it?

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group
http://www.talosintel.com<http://www.talosintel.com/>

On May 29, 2015, at 7:49 AM, Scott Link <linksg () slu edu<mailto:linksg () slu edu>> wrote:

In the meantime, I've applied the latest Security Onion updates. I had to restart nsm service to get everything back 
online after, but sostat is now reporting all is well.

Retried rule-update and the error message is still there.

Any additional information I can make a run at tracking down and providing?

On Fri, May 22, 2015 at 6:51 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:
We are going to look into this.  However, everyone is pretty much out of the office until Tuesday.

--
Joel Esler
Sent from my iPhone

On May 22, 2015, at 4:28 PM, Shirkdog <shirkdog () gmail com<mailto:shirkdog () gmail com>> wrote:



On May 22, 2015 3:45 PM, "Scott Link" <linksg () slu edu<mailto:linksg () slu edu>> wrote:
> Hi,
>
> Getting the following error message:
> Running PulledPork.
>     Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2972.tar.gz.md5 at 
> /usr/bin/pulledpork.pl<http://pulledpork.pl/> line 463
>     main::md5file(' <oinkcode redacted>', 'snortrules-snapshot-2972.tar.gz', '/tmp/', 
> 'https://www.snort.org/reg-rules/&apos;) called at /usr/bin/pulledpork.pl<http://pulledpork.pl/> line 1885
>     http://code.google.com/p/pulledpork/
>       _____ ____
>      `----,\    )
>       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
>        `--==\\/
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
>   @_/        /  66\_  cummingsj () gmail com<mailto:cummingsj () gmail com>
>     |    \   \   _(")
>      \   /-| ||'--'  Rules give me wings!
>       \_\  \_\\
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Checking latest MD5 for snortrules-snapshot-2972.tar.gz....
>
> Searching the archive seems to point to server-side issue. Need anything else?

Try with Snort version 2.9.7.3

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y<http://ad.doubleclick.net/ddm/clk/290420510%3b117567292%3by>
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



--
Scott Link
Manager, ITS Infrastructure Operations Security
Saint Louis University
www.slu.edu<http://www.slu.edu/>
314.977.9713




--
Scott Link
Manager, ITS Infrastructure Operations Security
Saint Louis University
www.slu.edu<http://www.slu.edu/>
314.977.9713



--
Scott Link
Manager, ITS Infrastructure Operations Security
Saint Louis University
www.slu.edu<http://www.slu.edu/>
314.977.9713


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



--

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org<http://deependresearch.org/>
http://sempersecurus.org<http://sempersecurus.org/>

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

------------------------------------------------------------------------------ Monitor 25 network devices or servers 
for free with OpManager! OpManager is web-based network management software that monitors network devices and physical 
& virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now 
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge 
net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users> list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit 
http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



--

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org<http://deependresearch.org/>
http://sempersecurus.org<http://sempersecurus.org/>

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!