Snort mailing list archives

Re: Intermittent Pulled Pork Error

From: "Weir, Jason" <jason.weir () nhrs org>
Date: Thu, 17 Feb 2011 13:37:30 -0500

I agree that it shouldn't be a PP problem but when oinkmaster works at
the same time it makes you wonder...

I added -vv per JJ below..

Now I'm trying to make it fail by running the script manually..

It works without error every time..  I'll have to wait for cron to run
it and if it fails I'll provide the output..

-J

-----Original Message-----
From: JJ Cummings [mailto:cummingsj () gmail com] 
Sent: Thursday, February 17, 2011 12:35 PM
To: Weir, Jason
Cc: Joel Esler; Snort Users; Nigel Houghton
Subject: Re: [Snort-users] Intermittent Pulled Pork Error

That is correct, md5 check then download or not, depending on 
hash change... As to the intermittent failures, I don't see 
what could be causing this in PP but if we can get the extra 
verbose output, might prove useful... (-vv)

Sent from the iRoad

On Feb 17, 2011, at 5:29, "Weir, Jason" <jason.weir () nhrs org> wrote:

Unless I'm incorrect - I'm only pulling rules when the md5

hash file has

changed... I do have PP checking every couple hours (cron) for an
updated md5.

I know that's way more often then you push updates, but it

should have

no effect on the file availability...

FYI - overnight PP fetching the 2.9.0.4 rules failed half the time,
another sensor still using oinkmaster fetching the 2.8.6.1

rules worked

without error every time..

So maybe this is a PP problem???

-J

-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Wednesday, February 16, 2011 10:04 PM
To: Weir, Jason
Cc: Nigel Houghton; Snort Users
Subject: Re: [Snort-users] Intermittent Pulled Pork Error

We shouldn't. We've notified the web-team. How often are you 
trying to pull rule updates?  Just out of curiosity. 

-- 
Sent from my iPad
Please excuse the brevity

On Feb 16, 2011, at 4:04 PM, "Weir, Jason" 
<jason.weir () nhrs org> wrote:

Nigel,

I changed the rules file name to

snortrules-snapshot-edge.tar.gz as

indicated below and I'm intermittently still getting the

500 error..


"Error 500 when fetching

https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at

/usr/local/bin/pulledpork.pl line 390"

Just tried it manually and it worked fine...  You guys

having a delivery

problem?

-J

-----Original Message-----
From: Nigel Houghton [mailto:nhoughton () sourcefire com] 
Sent: Wednesday, February 16, 2011 1:38 PM
To: Weir, Jason
Cc: Snort Users
Subject: Re: [Snort-users] Intermittent Pulled Pork Error


On Wed, 16 Feb 2011 13:32:45 -0500, Nigel Houghton wrote:

On Wed, 16 Feb 2011 13:05:09 -0500, Weir, Jason wrote:

Doesn't happen all of the time...

Error 500 when fetching

https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at

/usr/local/bin/pulledpork.pl line 390

-J


That's not a PulledPork error, that's a website error. The

file isn't

there, which strictly speaking shouldn't be a 500 server

error, but

since the application that handles looking for the file

can't find it,

the server will return the application error instead of a

404 not found.


With that said, I'll forward this to our Snort web team for 
investigation.


Actually, no I won't. After looking at snort.org I see that 
the 2.9.0.4 
rule set is not yet available for registered users. So,

you'll get a

404 (or 500) for the rules file too.

You can fix this for future use by using 
snortrules-snapshot-edge.tar.gz as the name of your rules

file. That

way, you will get the latest version of rules for either 
registered or 
subscriber rules automatically. Right now, for registered

users this

will be a 2.9.0.3 rule set. Which should work with 2.9.0.4.

Now, per the rules of the drinking game, I will be taking a 
shot or two 
for replying to my own email.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/



_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Intermittent Pulled Pork Error, (continued)
- - - Re: Intermittent Pulled Pork Error Weir, Jason (Feb 17)
    - Re: Intermittent Pulled Pork Error Joel Esler (Feb 17)
    - Re: Intermittent Pulled Pork Error waldo kitty (Feb 17)
    - Re: Intermittent Pulled Pork Error JJ Cummings (Feb 17)
    - Re: Intermittent Pulled Pork Error waldo kitty (Feb 18)
    - Re: Intermittent Pulled Pork Error Joel Esler (Feb 19)
    - Re: Intermittent Pulled Pork Error waldo kitty (Feb 19)
    - Re: Intermittent Pulled Pork Error Randal T. Rioux (Feb 18)
    - Re: Intermittent Pulled Pork Error waldo kitty (Feb 18)
    - Re: Intermittent Pulled Pork Error JJ Cummings (Feb 17)
    - Re: Intermittent Pulled Pork Error Weir, Jason (Feb 17)
    - Re: Intermittent Pulled Pork Error Weir, Jason (Feb 17)
    - Re: Intermittent Pulled Pork Error JJC (Feb 17)
    - Re: Intermittent Pulled Pork Error Weir, Jason (Feb 18)
    - Re: Intermittent Pulled Pork Error Weir, Jason (Feb 18)
    - Re: Intermittent Pulled Pork Error JJC (Feb 18)