Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intermittent Pulled Pork Error

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 17 Feb 2011 10:46:57 -0500
Yup.. I agree.  Was just trying to make your life easier.

As Nigel said before tho, we've forwarded this over to our web-team for them to look at.

Joel

On Feb 17, 2011, at 10:37 AM, Weir, Jason wrote:


Thanks Joel...

I'd prefer updates as soon as they are available (within a couple hours
at least) without manual intervention - thus the frequent checking via
cron.

The hash file is less than 1K - I would suspect I could check it on the
minute and not overload the cloud...

-J


-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Thursday, February 17, 2011 10:29 AM
To: Weir, Jason
Cc: Nigel Houghton; Snort Users
Subject: Re: [Snort-users] Intermittent Pulled Pork Error


I'll let JJ address the PP area,

However, you are correct.  That's one of the advantages of 
PulledPork is that it checks the md5 to see if there is a 
different in the ruleset before an attempted download.

My reason for asking is because we generally only release 
rules, probably twice a week.  (sometimes more, depending on 
what's going on)

Joel

On Feb 17, 2011, at 8:29 AM, Weir, Jason wrote:


Unless I'm incorrect - I'm only pulling rules when the md5 

hash file has

changed... I do have PP checking every couple hours (cron) for an
updated md5.

I know that's way more often then you push updates, but it 

should have

no effect on the file availability...

FYI - overnight PP fetching the 2.9.0.4 rules failed half the time,
another sensor still using oinkmaster fetching the 2.8.6.1 

rules worked

without error every time..

So maybe this is a PP problem???

-J


-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Wednesday, February 16, 2011 10:04 PM
To: Weir, Jason
Cc: Nigel Houghton; Snort Users
Subject: Re: [Snort-users] Intermittent Pulled Pork Error


We shouldn't. We've notified the web-team. How often are you 
trying to pull rule updates?  Just out of curiosity. 

-- 
Sent from my iPad
Please excuse the brevity

On Feb 16, 2011, at 4:04 PM, "Weir, Jason" 
<jason.weir () nhrs org> wrote:


Nigel,

I changed the rules file name to 

snortrules-snapshot-edge.tar.gz as

indicated below and I'm intermittently still getting the 

500 error..


"Error 500 when fetching




https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at

/usr/local/bin/pulledpork.pl line 390"

Just tried it manually and it worked fine...  You guys 

having a delivery

problem?

-J


-----Original Message-----
From: Nigel Houghton [mailto:nhoughton () sourcefire com] 
Sent: Wednesday, February 16, 2011 1:38 PM
To: Weir, Jason
Cc: Snort Users
Subject: Re: [Snort-users] Intermittent Pulled Pork Error


On Wed, 16 Feb 2011 13:32:45 -0500, Nigel Houghton wrote:

On Wed, 16 Feb 2011 13:05:09 -0500, Weir, Jason wrote:

Doesn't happen all of the time...

Error 500 when fetching






https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at

/usr/local/bin/pulledpork.pl line 390

-J


That's not a PulledPork error, that's a website error. The 

file isn't 

there, which strictly speaking shouldn't be a 500 server 

error, but 

since the application that handles looking for the file 

can't find it, 

the server will return the application error instead of a 

404 not found.


With that said, I'll forward this to our Snort web team for 
investigation.


Actually, no I won't. After looking at snort.org I see that 
the 2.9.0.4 
rule set is not yet available for registered users. So, 

you'll get a 

404 (or 500) for the rules file too.

You can fix this for future use by using 
snortrules-snapshot-edge.tar.gz as the name of your rules 

file. That 

way, you will get the latest version of rules for either 
registered or 
subscriber rules automatically. Right now, for registered 

users this 

will be a 2.9.0.3 rule set. Which should work with 2.9.0.4.

Now, per the rules of the drinking game, I will be taking a 
shot or two 
for replying to my own email.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/



_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: