Re: PulledPork error 422 when fetching ruleset

[Orion Christopher <orionquest44 () gmail com>]

I'm getting a similar error with PulledPork, error 404.  I recently updated
to the new version of snort, so decided to build from scratch following the
directions on the snort site.

Made these changes to pulledpork.conf:
Line 19 & 26: enter your oinkcode
Line 27 & 30: leave alone (un-commented) to use the Emerging Threats rule
set

Line 72: change to: rule_path=/etc/snort/rules/snort.rules
Line 87: change to: local_rules=/etc/snort/rules/local.rules
Line 90: change to: sid_msg=/etc/snort/sid-msg.map
Line 117: change to: config_path=/etc/snort/snort.conf

Line 131: change to: distro=Ubuntu-10-4

Line 139: change to: black_list=/etc/snort/rules/iplists/default.blacklist
Line 148: change to: IPRVersion=/etc/snort/rules/iplists

Line 194: Uncomment and change to: enablesid=/etc/snort/enablesid.conf
Line 195: Uncomment and change to: dropsid=/etc/snort/dropsid.conf
Line 196: Uncomment and change to: disablesid=/etc/snort/disablesid.conf
Line 197: Uncomment and change to: modifysid=/etc/snort/modifysid.conf

Here is the error:

Checking latest MD5 for snortrules-snapshot-2976.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
A 404 error occurred, please verify your filenames and urls for your
tarball!
Error 404 when fetching
https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5
at /usr/local/bin/pulledpork.pl line 463.
main::md5file('Community', 'community-rules.tar.gz', '/tmp/', '
https://s3.amazonaws.com/snort-org/www/rules/community/') called at
/usr/local/bin/pulledpork.pl line 1847


On Mon, Nov 16, 2015 at 4:00 PM, Joel Esler (jesler) <jesler () cisco com>
wrote:

> The version Snort needs to be updated.  PulledPork figures out what
> version of Snort you have installed, and then pulls the corresponding
> ruleset.
>
> --
> *Joel Esler*
> Manager, Talos Group
> Sent from my iPad
>
> On Nov 16, 2015, at 12:55 PM, Chris Odd <chris () chrisodd com> wrote:
>
> Hi,  I received the notice from Joel a few weeks ago indicating that I was
> attempting to download an outdated Snort ruleset (2.9.7.0).
>
> I had a look at my config today; when I run pulled pork, here’s the result
> (I’ve manually replaced my oinkcode with <oinkcode>):
>
> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
>    Error 422 when fetching
> https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at
> /usr/local/bin/pulledpork.pl line 482.
>    main::md5file(‘<oinkcode>', 'snortrules-snapshot-2970.tar.gz', '/tmp/',
> 'https://www.snort.org/reg-rules/&apos;) called at /usr/local/bin/pulledpork.pl
> line 1875
>
> However, my pulledpork config does not reference that rules tarball,
> here’s how my rules are defined in pulledpork.conf:
>
> rule_url=
> https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
> rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
> rule_url=
> https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open-nogpl
>
> Which matches what it should be, according to
> https://www.snort.org/oinkcodes
>
>
> Any ideas on what I should be changing?
>
> Thanks
>
>
>
>
>
> ------------------------------------------------------------------------------
> Presto, an open source distributed SQL query engine for big data, initially
> developed by Facebook, enables you to easily query your data on Hadoop in
> a
> more interactive manner. Teradata is also now providing full enterprise
> support for Presto. Download a free open source copy now.
> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Presto, an open source distributed SQL query engine for big data, initially
> developed by Facebook, enables you to easily query your data on Hadoop in a
> more interactive manner. Teradata is also now providing full enterprise
> support for Presto. Download a free open source copy now.
> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!