Re: FW: Oinkmaster can't get rules

[JJC <cummingsj () gmail com>]

You are attempting to retrieve an invalid tarball
(snortrules-snapshot-2.8.tar.gz)..

you need to use one of the following at this time:
snortrules-snapshot-2853.tar.gz
snortrules-snapshot-2860.tar.gz
snortrules-snapshot-2861.tar.gz

Please take note also of what Nigel said, that the 2853 rules will remain
for 90 days to give you time to upgrade!  And on another note, there is an
updated version of pulledpork that has many bugfixes..

JJC





On Mon, Jul 26, 2010 at 12:28 AM, Jun Wan <junwei_wan () hotmail com> wrote:

>  Ok, I downloaded Pulled Pork v0.3.4, follow the "Readme", instead of
> using:
> ./pulledpork.pl -c pulledpork.conf -i disablesid.conf -b dropsid.conf -m
> /usr/local/etc/snort/sid-msg.map \
> -h /var/log/sid_changes.log -I security -H
>
> I used this on my Windows XP:
>
> C:\snort\pulledpork-0.3.4>pulledpork.pl -c pulledpork.conf -i
> disablesid.conf -b
>  dropsid.conf -m c:\snort\etc\sid-msg.map -h c:\snort\log\sid_changes.log
> -I sec
> urity -H
>
> And then I got this:
>
> http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / Pulled_Pork v0.3.4
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings
> @_/ / 66\_ cummingsj () gmail com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Checking latest MD5....
> A 403 error occured, please wait for the 15 minute timeout
> to expire before trying again or specify the -n runtime switch
> Error 403 when fetching http://www.snort.org/pub-bin/oinkmaster.cgi/snor
> trules-snapshot-2.8.tar.gz.md5 at C:\snort\pulledpork-0.3.4\pulledpork.plline 2
> 69.
>
> After 25 minutes, I tried again, same error.
>
> I would like to know what is wrong and any info and help would be
> appreciated.
>
> Many thanks in advance.
>
> Regards
>
> John
> ------------------------------
> From: junwei_wan () hotmail com
> To: snort-users () lists sourceforge net
> Date: Mon, 26 Jul 2010 03:55:34 +0000
>
> Subject: Re: [Snort-users] Oinkmaster can't get rules
>
> Hi, I am unable to update the rules via Oinkmaster (it was okay before), My
> snort (2.8.5.3) is running on my Windows XP, I am getting an error: 404
> forbidden message, please see the attached info.
>
> I will use Pulled Pork in the near future, but now I would like to fix this
> issue with rules update&Oinkmaster.
>
> Any information and help would be appreciated.
>
> Thanks
>
> Regards
>
> John
>
> > From: jesler () sourcefire com
> > Date: Tue, 13 Jul 2010 10:35:19 -0400
> > To: aco1967 () gmail com
> > CC: jlay () slave-tothe-box net; snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Oinkmaster can't get rules
> >
> > I don't know how to correct these problems on Windows. Maybe another
> Windows user can chime in here, but I haven't used Windows since about 2003.
> > On Jul 13, 2010, at 10:31 AM, Alejandro Cabrera Obed wrote:
> >
> > > Now I get this error message when downloading the rules with
> oinkmaster.pl:
> > > Loading Perl modules.
> > > Downloading file from
> http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2853.tar.gz.
> ..
> > > Proxy must be specified as absolute URI; '10.4.1.10:8080' is not at
> > > c:\oinkmaster-2.0\oinkmaster.pl line 936
> > >
> > > What can I do ??? My HTTP_proxy variable is an environment variable
> > > set up in Windows...
> > >
> > > Special thanks
> > >
> > > 2010/7/12 Joel Esler <jesler () sourcefire com>:
> > > > The --no-check-certificate problem is a result of having old CA
> Certificates on your box. Please read the snort-users archive, like this:
> http://marc.info/?l=snort-users&m=127791856110280&w=2
> > > > Joel
> > > >
> > > > On Jul 12, 2010, at 9:45 PM, Alejandro Cabrera Obed wrote:
> > > >
> > > > > In my Windows I put these two environment variables:
> > > > >
> > > > > HTTP_proxy = http://10.10.2.1
> > > > >
> > > > > HTTPS_proxy = https://10.10.12.1 (and later http://10.10.12.1)
> > > > >
> > > > > But I continue receiveing the error:
> > > > >
> > > > > oinkmaster.pl: Error: could not download from
> > > > > http://www.snort.org/pub-bin/oinkmaster.cgi
> > > > > /*my_oinkcode*/snortrules-snapshot-2853.tar.gz: 500 Can't connect to
> > > > > s3.amazonaws.com:443 (Bad hostname 's3.amazonaws.com')
> > > > >
> > > > > If I download the rules from my web browser I succeed !!!
> > > > >
> > > > > Any idea ???
> > > > >
> > > > > Thanks again.
> > > > >
> > > > >
> > > > > 2010/7/12 James Lay <jlay () slave-tothe-box net>:
> > > > > > From: Fábio Ferrão <ferrao04 () gmail com>
> > > > > > Date: Thu, 8 Jul 2010 10:07:33 -0300
> > > > > > To: Snort <snort-users () lists sourceforge net>
> > > > > > Subject: [Snort-users] Oinkmaster can't get rules
> > > > > >
> > > > > > <snip>
> > > > > > [prompt]# /usr/local/bin/oinkmaster -o /usr/local/snort/rules/rules
> >
> > > > > > /home/suporte/oinkmaster.update
> > > > > > Loading /usr/local/etc/oinkmaster.conf
> > > > > > Downloading file
> > > > > > from
> http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2853.tar.gz.
> ..
> > > > > > /usr/local/bin/oinkmaster: Error: could not download
> > > > > > from
> http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2853.tar.gz
> .
> > > > > > Output from wget follows:
> http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2853.tar.gzResolvingwww.snort.org...
> > > > > > 68.177.102.20
> > > > > > Connecting to www.snort.org <http://www.snort.org>
> |68.177.102.20|:80...
> > > > > > connected.
> > > > > > HTTP request sent, awaiting response... 403 Forbidden
> > > > > > 2010-07-06 13:18:43 ERROR 403: Forbidden.
> > > > > >
> > > > > > <snip>
> > > > > >
> > > > > > I am receiving exactly the same thing, even though I’ve modified my
> my
> > > > > > oinkmaster.pl to reflect the —no-check-certificate. It seems like
> sometime
> > > > > > a redirect doesn’t fire since I get to 68.177.102.20, and instead of
> the 302
> > > > > > redirect, simply a 403 and dumped. Anyone else besides myself and
> the OP
> > > > > > seeing this? Thanks.
> > > > > >
> > > > > > James
> ------------------------------------------------------------------------------
> > > > > > This SF.net email is sponsored by Sprint
> > > > > > What will you do first with EVO, the first 4G phone?
> > > > > > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users () lists sourceforge net
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Alejandro Cabrera Obed
> > > > > aco1967 () gmail com
> > > > > www.alejandrocabrera.com.ar
> ------------------------------------------------------------------------------
> > > > > This SF.net email is sponsored by Sprint
> > > > > What will you do first with EVO, the first 4G phone?
> > > > > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > > --
> > > Alejandro Cabrera Obed
> > > aco1967 () gmail com
> > > www.alejandrocabrera.com.ar
> ------------------------------------------------------------------------------
> > This SF.net email is sponsored by Sprint
> > What will you do first with EVO, the first 4G phone?
> > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------
> Find it at CarPoint.com.au New, Used, Demo, Dealer or Private?<http://clk.atdmt.com/NMN/go/206222968/direct/01/>
> ------------------------------
> Find it at CarPoint.com.au New, Used, Demo, Dealer or Private?<http://clk.atdmt.com/NMN/go/206222968/direct/01/>
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://ad.doubleclick.net/clk;226879339;13503038;l?
> http://clk.atdmt.com/CRS/go/247765532/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share 
of $1 Million in cash or HP Products. Visit us here for more details:
http://ad.doubleclick.net/clk;226879339;13503038;l?
http://clk.atdmt.com/CRS/go/247765532/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users