Snort mailing list archives
Re: rule download problem
From: JJC <cummingsj () gmail com>
Date: Thu, 1 Jul 2010 08:27:45 -0600
I have not been able to reproduce this, but I suspect that it is related to one of two things: 1. An outdated LWP::Simple PM 2. The same issue causing some issues with wget / oinkmaster etc.. (root CA update) On Wed, Jun 30, 2010 at 5:49 PM, Joel Esler <jesler () sourcefire com> wrote:
Ah, you did. Sorry, too much email (as you can probably imagine). Missed the output. I'll defer this to JJ. On Jun 30, 2010, at 7:45 PM, Jefferson, Shawn wrote: Hi, What I posted was basically the output, minus the stuff about so_rules and local paths. I can post more if JJ would like it. Thanks Shawn ------------------------------ *From:* Joel Esler [mailto:jesler () sourcefire com] *Sent:* Wednesday, June 30, 2010 4:44 PM *To:* Jefferson, Shawn *Cc:* Crook, Parker; snort-users () lists sourceforge net *Subject:* Re: [Snort-users] rule download problem Mine worked fine. Can you send the output of pulledpork ran with -vv on it? Maybe JJ can chime in a bit later. On Jun 30, 2010, at 7:39 PM, Jefferson, Shawn wrote: Hi, No, this is a new installation. I am using Oinkmaster but thought this might be a good opportunity to upgrade to pulled pork. A packet capture shows the download of the md5 working properly, but the download of the rules file gets a 302 redirect, and then nothing else. Pulled Pork doesn’t follow the redirect maybe? ------------------------------ *From:* Joel Esler [mailto:jesler () sourcefire com] *Sent:* Wednesday, June 30, 2010 4:36 PM *To:* Jefferson, Shawn *Cc:* Crook, Parker; snort-users () lists sourceforge net *Subject:* Re: [Snort-users] rule download problem Are you using the pulledpork.conf file from your old pulledpork installation? Can't do that. On Jun 30, 2010, at 7:31 PM, Jefferson, Shawn wrote: What was the solution to this? I’m trying to setup Pulled Pork using the new download location and am getting the same error (501) when trying to download the tar.gz file. Checking latest MD5.... Fetching md5sum for: snortrules-snapshot-2853.tar.gz.md5 most recent rules file digest: aa012e45a5756acabb0e8c31e862f336 Rules tarball download.... Fetching rules file: snortrules-snapshot-2853.tar.gz Error 501 when fetching snortrules-snapshot-2853.tar.gz at ./ pulledpork.pl line 261. Do I have the right settings? rule_file = snortrules-snapshot-2853.tar.gz base_url = http://www.snort.org/sub-rules version = 0.4.2 ------------------------------ *From:* Crook, Parker [mailto:Parker_Crook () reyrey com] *Sent:* Tuesday, June 29, 2010 8:35 AM *To:* 'JJC'; John York *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] rule download problem JJ, I’ve waited the morning out to see if this would clear up, but I’ve been ping-ponging back and forth between 501 and 403 errors when using the Pulled Pork svn to try and download the new rules. Below is the verbose output… any words of advice here? snort-lab:/etc/snort/pulledpork# ./pulledpork.pl -c etc/pulledpork.conf -vv http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / Pulled_Pork v0.4.2 `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Variable Debug: Config Path is: etc/pulledpork.conf Verbose Flag is Set Extra Verbose Flag is Set Config File Variable Debug etc/pulledpork.conf snort_path = /usr/local/bin/snort pid_path = /var/run/snort_eth0.pid rule_path = /etc/snort/rules/snort.rules ignore = deleted,experimental,local rule_file = snortrules-snapshot-2860.tar.gz sid_changelog = /var/log/sid_changes.log sid_msg = /etc/snort/sid-msg.map config_path = /etc/snort/snort.conf sostub_path = /etc/snort/rules/so_rules.rules oinkcode = <oinkcode obfuscated> temp_path = /tmp distro = Debian-Lenny base_url = http://www.snort.org/ sorule_path = /usr/local/lib/snort_dynamicrules/ version = 0.4.2 disablesid = /usr/local/etc/snort/disablesid.conf local_rules = /etc/snort/rules/local.rules Checking latest MD5.... Fetching md5sum for: snortrules-snapshot-2860.tar.gz.md5 most recent rules file digest: b3cb777fac21999675e8cf5696865fa5 current local rules file digest: 4a7877208481756881a66f7cadcff98b The MD5 for snortrules-snapshot-2860.tar.gz did not match the latest digest... so I am gonna fetch the latest rules file! Rules tarball download.... Fetching rules file: snortrules-snapshot-2860.tar.gz Error 501 when fetching snortrules-snapshot-2860.tar.gz at ./ pulledpork.pl line 262. -Parker ------------------------------ *From:* JJC [mailto:cummingsj () gmail com] *Sent:* Tuesday, June 29, 2010 10:32 AM *To:* John York *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] rule download problem The rule download location has changed, you will want to get the latest version of pulledpork from svn (0.4.2) or wait until the tarball is released shortly. JJC On Tue, Jun 29, 2010 at 7:25 AM, John York <YorkJ () brcc edu> wrote: I've been using PulledPork (v 0.4.1 Stumbling Leprechaun) to get my rules, but in the last week or so it has started giving this error: Error 403 when fetching http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2860_s.tar.gz.md5 at /home/xxxx/snortrules/pulledpork/pulledpork.pl line 306 It does this even if I wait several hours between attempts, so I don't think the 15 min limit is involved. These are the applicable lines from the conf file: base_url=http://www.snort.org/pub-bin/oinkmaster.cgi rule_file=snortrules-snapshot-2860_s.tar.gz My subscription is up to date--I can log in to the web site and download the rules ok. Any ideas? Thanks John ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: rule download problem JJC (Jul 01)
- <Possible follow-ups>
- Re: rule download problem JJC (Jul 01)
- Re: rule download problem Crook, Parker (Jul 01)
- Re: rule download problem Franklin Jones (Jul 01)
- Re: rule download problem Jefferson, Shawn (Jul 02)
- Re: rule download problem JJ Cummings (Jul 02)