Snort mailing list archives

Re: still having download problems

From: JJC <cummingsj () gmail com>
Date: Thu, 1 Jul 2010 08:50:31 -0600

Do you know what version of LWP::SImple you are using?

On Thu, Jul 1, 2010 at 8:32 AM, John York <YorkJ () brcc edu> wrote:

I've updated to pulledpork 0.4.2 on my Ubuntu 8.04 box.  I also tried to
update the CA certs with apt-get, but they are already up to date.  When I
do a packet trace, I see the box go to Snort and ask for the rules.  Snort
replies that the rules have moved to s3.amazonaws.com.  At that point, my
box just gives up--I don't see any traffic where it even tries to connect
with amazon.  Any ideas?  I tried manually changing pp so it asked for
sub-rules instead of reg-rules, but both do the same thing.  The pp debug
output and https conversation are below, mangled to protect the oinkcode.

Thanks
John

PP debug

me@snort:~$ sudo apt-get install ca-certificates
[sudo] password for me:
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

me@snort:~$ sudo ./ppgo

 http://code.google.com/p/pulledpork/
     _____ ____
    `----,\    )
     `--==\\  /    Pulled_Pork v0.4.2
      `--==\\/
    .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
 @_/        /  66\_  cummingsj () gmail com
   |    \   \   _(")
    \   /-| ||'--'  Rules give me wings!
     \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Variable Debug:
       Config Path is:
/home/bryorkj/snortrules/pulledpork/etc/pulledpork.conf
       Path to disablesid file:
/home/bryorkj/snortrules/pulledpork/etc/disablesid.conf
       Verbose Flag is Set
       Extra Verbose Flag is Set
Config File Variable Debug
/home/bryorkj/snortrules/pulledpork/etc/pulledpork.conf
       snort_path = /usr/local/bin/snort
       pid_path = /var/run/snortd.pid
       rule_path = /usr/local/etc/snort/rules/snort.rules
       ignore = deleted,experimental,local
       rule_file = snortrules-snapshot-2860.tar.gz
       sid_changelog = /var/log/sid_changes.log
       sid_msg = /usr/local/etc/snort/sid-msg.map
       config_path = /usr/local/etc/snort/snort.conf
       sostub_path = /usr/local/etc/snort/rules/so_rules.rules
       oinkcode = 7025mangle-mangle7813
       temp_path = /tmp
       distro = Ubuntu-8.04
       base_url = http://www.snort.org/
       sorule_path = /usr/local/lib/snort_dynamicrules/
       version = 0.4.2
       disablesid = /usr/local/etc/snort/disablesid.conf
       local_rules = /usr/local/etc/snort/rules/local.rules
Checking latest MD5....
       Fetching md5sum for: snortrules-snapshot-2860.tar.gz.md5
       most recent rules file digest: d8b7b694e4f21b7406e3c86a32b362bf
Rules tarball download....
       Fetching rules file: snortrules-snapshot-2860.tar.gz
       Error 501 when fetching snortrules-snapshot-2860.tar.gz at
/home/bryorkj/snortrules/pulledpork/pulledpork.pl line 264.
       going to get this url:
http://www.snort.org/sub-rules/snortrules-snapshot-2860.tar.gz/7025mangle-mangle7813


HTTP conversation

GET /sub-rules/snortrules-snapshot-2860.tar.gz/7025mangle-mangle7813
HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.snort.org
User-Agent: LWP::Simple/5.820

HTTP/1.0 302 Moved Temporarily
Date: Thu, 01 Jul 2010 13:57:15 GMT
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
X-Runtime: 448
Cache-Control: no-cache
Set-Cookie:
_radiant_session=BAh7BjoPmangle-mangleDhmNDA%3D--777377mangle-mangled8cc;
path=/; HttpOnly
Location:
https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangleQ&Expires=1277992665&Signature=mangle-mangle3D
Content-Length: 251
Status: 302
Content-Type: text/html; charset=utf-8
X-Cache: MISS from web610.br.vccs.edu
Via: 1.0 web610.br.vccs.edu:8080 (http_scan/4.0.2.6.19)
Connection: close

<html><body>You are being <a href="
https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangle&amp;Expires=1277992665&amp;Signature=7ZFmangle-mangle4%3D
">redirected</a>.</body></html>




------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

still having download problems John York (Jul 01)
- Re: still having download problems JJC (Jul 01)
  - Re: still having download problems Crook, Parker (Jul 01)
    - Re: still having download problems JJC (Jul 01)
    - Re: still having download problems Joel Esler (Jul 01)
    - Re: still having download problems JJC (Jul 01)
    - Re: still having download problems John York (Jul 01)