Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Extracting snortrules-2931.tar.gz

From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 9 Oct 2012 21:14:31 +0000
Your command is fine.  as long as it's on one long line.  whats the
output once you enter
'wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code> -O snortrules-2931.tar.gz'

what does it show?

if it shows:

wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code> -O snortrules-2931.tar.gz
--2012-10-09 21:08:57--
http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code>
Resolving www.snort.org... 23.23.170.170
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2012-10-09 21:08:58 ERROR 403: Forbidden.

then that's the problem.  It's forbidden due to a timeout on the oink
code.. it can only be used once in 15 minutes.  You might try getting
a new one and not sharing it on the list since someone else could be
using it.. or you could have another process trying to use it on your
same box.


it should show something like..

wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<my
code removed> -O snortrules-2931.tar.gz
--2012-10-09 21:11:00--
http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<my
code removed>
Resolving www.snort.org... 23.23.170.170
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: 
http://s3.amazonaws.com/snort-org/www/rules/20120906/snortrules-snapshot-2931.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1349817361&Signature=85H8TzuDRSBsHob9%2BLbqYFdPgAk%3D
[following]
--2012-10-09 21:11:01--
http://s3.amazonaws.com/snort-org/www/rules/20120906/snortrules-snapshot-2931.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1349817361&Signature=85H8TzuDRSBsHob9%2BLbqYFdPgAk%3D
Resolving s3.amazonaws.com... 72.21.203.148
Connecting to s3.amazonaws.com|72.21.203.148|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22471221 (21M) [binary/octet-stream]
Saving to: “snortrules-2931.tar.gz”

19% [==========================>

   ] 4,369,969    187K/s  eta 1m 50s


And finish up at 21 Megs.. then the tar command should work.
2012-10-09 21:13:53 (144 KB/s) - “snortrules-2931.tar.gz” saved
[22471221/22471221]

then you run the tar command.




On Tue, Oct 9, 2012 at 9:05 PM, Akinwale Fasuru <fashman2k1 () yahoo com> wrote:

Hey Jeremy,
Here is the command i used;

wget
http://www.snort.org/sub-rules/snortrules-snapshot-
2931.tar.gz/3b6de1b425e1a20c6f85e705f3631bc958ad11db -O snortrules-2931.tar.gz

Then i issued this command:

tar xzvf snortrules-2931.tar.gz

Then it came up with this again:

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now

And my internet connection is fine.

Pls what do u tink?



--- On Tue, 10/9/12, Jeremy Hoel <jthoel () gmail com> wrote:


From: Jeremy Hoel <jthoel () gmail com>
Subject: Re: [Snort-users] Extracting snortrules-2931.tar.gz
To: "AllowOverride" <allowoverride () gmail com>
Cc: "snort-users" <snort-users () lists sourceforge net>
Date: Tuesday, October 9, 2012, 3:17 PM
And like i said in the email before
you responded, you can find the
file name right from the website.. when you click download
rules.
http://snort.org/snort-rules/?

Snort v2.9
MD5 - 09 Oct, 2012
snortrules-snapshot-2931.tar.gz
MD5 - 09 Oct, 2012
snortrules-snapshot-2912.tar.gz
MD5 - 09 Oct, 2012
snortrules-snapshot-2923.tar.gz
MD5 - 09 Oct, 2012
snortrules-snapshot-2930.tar.gz



It's right there.. you just have to look at the page.
Reading is fundamental.




On Tue, Oct 9, 2012 at 8:16 PM, AllowOverride <allowoverride () gmail com>
wrote:

we dont know the file name!!! sheshh

On Tue, 2012-10-09 at 20:02 +0000, Jeremy Hoel wrote:

The page shows:

wget http://www.snort.org/sub-rules/<filename>/<oinkcode

here> \

             -O

<output-filename>



It's pretty clear.  put the proper, correct,

current filename where is

says filename and things work.  They shouldn't

have to hold hands and

walk through the whole thing.

When you try and use examples you have to expect

and realize that the

example might be out of date and maybe try and

figure out what it

might take to make it work.



On Tue, Oct 9, 2012 at 7:51 PM, AllowOverride

<allowoverride () gmail com>
wrote:

when i say something doesnt work, i mean, it

doesnt work:


wget
http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry--2012-10-09

12:44:42--  http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry

Resolving www.snort.org... 23.23.170.170
Connecting to

www.snort.org|23.23.170.170|:80... connected.

HTTP request sent, awaiting response... 403

Forbidden

2012-10-09 12:44:42 ERROR 403: Forbidden.

wget
http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
--2012-10-09 12:45:54--
http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
Resolving www.snort.org... 23.23.143.143
Connecting to

www.snort.org|23.23.143.143|:80... connected.

HTTP request sent, awaiting response... 403

Forbidden

2012-10-09 12:45:56 ERROR 403: Forbidden.

and just for good measure

wget
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/sorry-hidden
--2012-10-09 12:47:03--
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/hidden-again
Resolving www.snort.org... 23.23.170.170
Connecting to

www.snort.org|23.23.170.170|:80... connected.

HTTP request sent, awaiting response... 403

Forbidden

2012-10-09 12:47:04 ERROR 403: Forbidden.


now. the last one shouldn't work, becuz im not

a register user

the sub rules works if you know what you are

doing...


If you include 2931 inplace of 2900 it will

work, only if you are in the

system for oinkcode. BUT, that is not what is

autopopulated for you on

the oinkcode page. it says, 2900. it wont

work.


all i am saying fix is, change it to reflect

the CURRENT version. thats

all. not everyone will catch it, and ya know,

end up asking the question

here.

let's let the developers put the current

version as well. takes what, 2

seconds and saves users HOURS of wtf..

headaches...


thanks



On Tue, 2012-10-09 at 19:19 +0000, Jeremy Hoel

wrote:

The link he was using worked fine for me.

I tested the get and got the

rules with no no problem.. with the link

he had. His problem is not

related to a bad link.

The examples show that you need a file

name

(http://snort.org/snort-rules/cli) and when you go to

the page before,

the main download page (http://snort.org/snort-rules/?), it shows the
file names. They are not trying to make

this overly confusing and

hard.. but it does require some effort and

understanding on the

installers part. Or, you could sign in and

grab them from the gui, or

use pullpork.  3 different methods to

get the rules..


The examples are generic enough that they

don't have to change

whenever the rule file changes.  Lets

let the developers work on

keeping the software fixed and nor worry

about the web page not having

the most specific instructions.


On Tue, Oct 9, 2012 at 7:12 PM,

AllowOverride <allowoverride () gmail com>
wrote:

jer,
i tried the preferred method

displayed on oinkcode page.

it doesnt work for sub/reg unless you

know to put 2931. also, other

methods of wget'ing the url according

to docs are supposed to work but

do not, unless know the exact file

name, and thats not always easy to

find on the ftp site, or by other

methods.


just a heads up, that kept me off

task for a few days trying to figure

it out.

suggestion... fix the examples on the

oinkcode page.




On Tue, 2012-10-09 at 17:12 +0000,

Jeremy Hoel wrote:

The answer is in the text file

that you sent back.


2012-10-04 14:07:24 ERROR 403:

Forbidden.


so however you tried to get the

file, it didn't work.  If you used

wget and an oink code then you

need to check the code.



On Tue, Oct 9, 2012 at 4:59 PM,

Akinwale Fasuru <fashman2k1 () yahoo com>
wrote:

Here is what i gath after

running cat....


--2012-10-04

14:07:23--  http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/3b6de1b425e1a20c6f85e705f3631bc958ad11db

Resolving www.snort.org...

23.23.170.170

Connecting to

www.snort.org|23.23.170.170|:80... connected.

HTTP request sent, awaiting

response... 403 Forbidden

2012-10-04 14:07:24 ERROR

403: Forbidden.



What do u think?


--- On Tue, 10/9/12, Jeremy

Hoel <jthoel () gmail com>
wrote:



From: Jeremy Hoel <jthoel () gmail com>
Subject: Re:

[Snort-users] Extracting snortrules-2931.tar.gz

To: "Akinwale Fasuru"

<fashman2k1 () yahoo com>

Cc: snort-users () lists sourceforge net
Date: Tuesday, October

9, 2012, 11:53 AM

to check the size of a

file, go to

the directory where the

file is and

run 'ls -al'.

But since 'file' said

it's text and not a tar.gz or zip

file, then
that's the

problem.  Your download is not correct.


go ahead and run 'cat

snortrules-2931.tar.gz'




On Tue, Oct 9, 2012 at

4:50 PM, Akinwale Fasuru <fashman2k1 () yahoo com>

wrote:

I replied the email

you sent earlier saying that i

didnt know how to check

for te size of the file. But i did

rule the command u asked

me here is the response




snortrules-2931.tar.gz: ASCII text



--- On Tue,

10/9/12, Jeremy Hoel <jthoel () gmail com>

wrote:



From: Jeremy

Hoel <jthoel () gmail com>

Subject: Re:

[Snort-users] Extracting

snortrules-2931.tar.gz

To: "Akinwale

Fasuru" <fashman2k1 () yahoo com>

Cc: snort-users () lists sourceforge net
Date: Tuesday,

October 9, 2012, 11:46 AM

You never got

back to me about the

size of the

file and if the file

was complete.

the error makes

it sound like it's not a tar.gz

file.


you need to

very you got the whole file and that

it's not

just a text

error.


run 'file

snortrules-2931.tar.gz' and see what it

says.


On Tue, Oct 9,

2012 at 4:29 PM, Akinwale Fasuru

<fashman2k1 () yahoo com>

wrote:

Hello

everyone,

 I am

still having problems extracting



snortrules-2931.tar.gz


tar -xzvf

snortrules-2931.tar.gz

I get

this erro message


zip:

stdin: not in gzip format


tar:

Child returned status 1


tar:

Error is not recoverable: exiting

now








------------------------------------------------------------------------------

Don't let

slow site performance ruin your

business.

Deploy New

Relic APM

Deploy New

Relic app performance management

and know

exactly

what is

happening inside your Ruby, Python,

PHP, Java,

and .NET app

Try New

Relic at no cost today and get our

sweet Data

Nerd shirt

too!

http://p.sf.net/sfu/newrelic-dev2dev




_______________________________________________



Snort-users mailing list

Snort-users () lists sourceforge net
Go to this

URL to change user options or

unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users


Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please

visit http://blog.snort.org to stay current on

all the latest

Snort news!








------------------------------------------------------------------------------

Don't let slow site performance

ruin your business. Deploy New Relic APM

Deploy New Relic app performance

management and know exactly

what is happening inside your

Ruby, Python, PHP, Java, and .NET app

Try New Relic at no cost today

and get our sweet Data Nerd shirt too!

http://p.sf.net/sfu/newrelic-dev2dev


_______________________________________________

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user

options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!








------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy
New Relic APM
Deploy New Relic app performance management and know
exactly
what is happening inside your Ruby, Python, PHP, Java, and
.NET app
Try New Relic at no cost today and get our sweet Data Nerd
shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: