RESOLVED Re: Oinkmaster can't get rules

[James Lay <jlay () slave-tothe-box net>]

Success!

Apparently 3 things needed to occur:

Update Crypt::SSLeay
Modify oinkmaster.pl line 909 with --no-check-certificate
Snag the ca-certificates package and install each cert in /etc/ssl/certs

While I can see Slackware's point of having the user install the certs,
eh...it was a bit of a pain to have to figure all this out ;)  Thanks for
all the help folks.

James

> From: James Lay <jlay () slave-tothe-box net>
> Date: Tue, 13 Jul 2010 12:00:35 -0600
> To: Joel Esler <jesler () sourcefire com>
> Cc: James Lay <jlay () slave-tothe-box net>, Snort
> <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] Oinkmaster can't get rules
>
> I'm still having issues with Slackware 12.1.
>
> Verisign certs are in /etc/ssl/certs:
> /etc/ssl/certs$] ls Verisign*
> Verisign_Class_1_Public_Primary_Certification_Authority.crt
> Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
> Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt
> Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
> Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
> Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt
> Verisign_Class_2_Public_Primary_Certification_Authority.crt
> Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
> Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
> Verisign_RSA_Secure_Server_CA.crt
> Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
> Verisign_Time_Stamping_Authority_CA.crt
> Verisign_Class_3_Public_Primary_Certification_Authority.crt
>
> OpenSSL is complied to point to /etc/ssl as the default dir.
>
> Crypt::SSLeay is up to date:
> cpan> install Crypt::SSLeay
> Crypt::SSLeay is up to date.
>
> Still seeing this:
>
> wget 
> http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-2860.tar.
> gz
> --2010-07-13 11:52:15--
> http://www.snort.org/pub-bin/oinkmaster.cgi/code/snortrules-snapshot-2860.tar.
> gz
> Resolving www.snort.org... 68.177.102.20
> Connecting to www.snort.org|68.177.102.20|:80... connected.
> HTTP request sent, awaiting response... 302 Found
> Location:
> https://s3.amazonaws.com/snort.org/rules/20100610/snortrules-snapshot-2860.tar
> .gz?&Expires=1279043570&Signature=
> [following]
> --2010-07-13 11:52:17--
> https://s3.amazonaws.com/snort.org/rules/20100610/snortrules-snapshot-2860.tar
> .gz?&Expires=1279043570&Signature=
> Resolving s3.amazonaws.com... 207.171.185.197
> Connecting to s3.amazonaws.com|207.171.185.197|:443... connected.
> ERROR: cannot verify s3.amazonaws.com's certificate, issued by
> `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA -
> G2':
>   Unable to locally verify the issuer's authority.
> To connect to s3.amazonaws.com insecurely, use `--no-check-certificate'.
> Unable to establish SSL connection.
>
> I'm about to just change oinkmaster.pl to --no-check-certificate, but I'd
> like to get this to work with SSL.  Have to admit...sure would have been
> nice to know this was taking place..maybe I didn't look hard enough
> onilne.
>
> James
>
> > I don't know how to correct these problems on Windows.  Maybe another
> > Windows user can chime in here, but I haven't used Windows since about
> > 2003.
> >
> >
> > On Jul 13, 2010, at 10:31 AM, Alejandro Cabrera Obed wrote:
> >
> > > Now I get this error message when downloading the rules with
> > > oinkmaster.pl:
> > >
> > > Loading Perl modules.
> > > Downloading file from
> > > http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2
> > > 853.tar.gz...
> > > Proxy must be specified as absolute URI; '10.4.1.10:8080' is not at
> > > c:\oinkmaster-2.0\oinkmaster.pl line 936
> > >
> > > What can I do ??? My HTTP_proxy variable is an environment variable
> > > set up in Windows...
> > >
> > > Special thanks
> > >
> > > 2010/7/12 Joel Esler <jesler () sourcefire com>:
> > > > The --no-check-certificate problem is a result of having old CA
> > > > Certificates on your box.  Please read the snort-users archive, like
> > > > this: http://marc.info/?l=snort-users&m=127791856110280&w=2
> > > >
> > > > Joel
> > > >
> > > > On Jul 12, 2010, at 9:45 PM, Alejandro Cabrera Obed wrote:
> > > >
> > > > > In my Windows I put these two environment variables:
> > > > >
> > > > > HTTP_proxy = http://10.10.2.1
> > > > >
> > > > > HTTPS_proxy = https://10.10.12.1 (and later http://10.10.12.1)
> > > > >
> > > > > But I continue receiveing the error:
> > > > >
> > > > > oinkmaster.pl: Error: could not download from
> > > > > http://www.snort.org/pub-bin/oinkmaster.cgi
> > > > > /*my_oinkcode*/snortrules-snapshot-2853.tar.gz: 500 Can't connect to
> > > > > s3.amazonaws.com:443 (Bad hostname 's3.amazonaws.com')
> > > > >
> > > > > If I download the rules from my web browser I succeed !!!
> > > > >
> > > > > Any idea ???
> > > > >
> > > > > Thanks again.
> > > > >
> > > > >
> > > > > 2010/7/12 James Lay <jlay () slave-tothe-box net>:
> > > > > > From: Fábio Ferrão <ferrao04 () gmail com>
> > > > > > Date: Thu, 8 Jul 2010 10:07:33 -0300
> > > > > > To: Snort <snort-users () lists sourceforge net>
> > > > > > Subject: [Snort-users] Oinkmaster can't get rules
> > > > > >
> > > > > > <snip>
> > > > > > [prompt]# /usr/local/bin/oinkmaster -o /usr/local/snort/rules/rules >
> > > > > > /home/suporte/oinkmaster.update
> > > > > > Loading /usr/local/etc/oinkmaster.conf
> > > > > > Downloading file
> > > > > > from
> > > > > > http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsho
> > > > > > t-2853.tar.gz...
> > > > > > /usr/local/bin/oinkmaster: Error: could not download
> > > > > > from
> > > > > > http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsho
> > > > > > t-2853.tar.gz.
> > > > > > Output from wget follows:
> > > > > >
> > > > > >  
> > > > > > http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsho
> > > > > > t-2853.tar.gzResolving
> > > > > > www.snort.org...
> > > > > > 68.177.102.20
> > > > > > Connecting to www.snort.org <http://www.snort.org>
> > > > > > |68.177.102.20|:80...
> > > > > > connected.
> > > > > > HTTP request sent, awaiting response... 403 Forbidden
> > > > > > 2010-07-06 13:18:43 ERROR 403: Forbidden.
> > > > > >
> > > > > > <snip>
> > > > > >
> > > > > > I am receiving exactly the same thing, even though I¹ve modified my
> > > > > > my
> > > > > > oinkmaster.pl to reflect the ‹no-check-certificate.  It seems like
> > > > > > sometime
> > > > > > a redirect doesn¹t fire since I get to 68.177.102.20, and instead of
> > > > > > the 302
> > > > > > redirect, simply a 403 and dumped.  Anyone else besides myself and
> > > > > > the OP
> > > > > > seeing this?  Thanks.
> > > > > >
> > > > > > James
> > > > > > -------------------------------------------------------------------------
> > > > > > -----
> > > > > > This SF.net email is sponsored by Sprint
> > > > > > What will you do first with EVO, the first 4G phone?
> > > > > > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users () lists sourceforge net
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Alejandro Cabrera Obed
> > > > > aco1967 () gmail com
> > > > > www.alejandrocabrera.com.ar
> > > > >
> > > > > --------------------------------------------------------------------------
> > > > > ----
> > > > > This SF.net email is sponsored by Sprint
> > > > > What will you do first with EVO, the first 4G phone?
> > > > > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > > --
> > > Alejandro Cabrera Obed
> > > aco1967 () gmail com
> > > www.alejandrocabrera.com.ar
----------------------------------------------------------------------------->>
-
> > This SF.net email is sponsored by Sprint
> > What will you do first with EVO, the first 4G phone?
> > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users