Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 403 Error when attempting to pull rules using Pulled-Pork

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 20 Feb 2013 09:06:09 -0500
Send me your oinkcode off list, and I'll look into your code.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Wednesday, February 20, 2013 at 8:56 AM, Tamara Fisher wrote:


Thanks for the response Joel. Updated snort_version and reran after timeout expired. Getting same error. 

    Base URL is: https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode>
Checking latest MD5 for snortrules-snapshot-2940.tar.gz....
    Fetching md5sum for: snortrules-snapshot-2940.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz.md5/<my_oinkcode> ==> 
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
403 Forbidden
    A 403 error occurred, please wait for the 15 minute timeout
    to expire before trying again or specify the -n runtime switch
    You may also wish to verfiy your oinkcode, tarball name, and other configuration options
    Error 403 when fetching https://www.snort.org/sub-rules/snortrules-snapshot-2940.tar.gz.md5 at 
/usr/local/bin/pulledpork.pl (http://pulledpork.pl) line 453
    main::md5file('<my_oinkcode>', 'snortrules-snapshot-2940.tar.gz', '/tmp/', 'https://www.snort.org/sub-rules/&apos;) 
called at /usr/local/bin/pulledpork.pl (http://pulledpork.pl) line 1758


On Wed, Feb 20, 2013 at 8:46 AM, Joel Esler <jesler () sourcefire com (mailto:jesler () sourcefire com)> wrote:

Add a 0 to the end of the "294" line.  2940.tar.gz.  It'll work.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Wednesday, February 20, 2013 at 8:41 AM, Tamara Fisher wrote:




Hi. 

I'm having issues when attempting to fetch subscriber rules and have questions. 

I use the following rule path:

https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz| 
(https://www.snort.org/sub-rules/%7Csnortrules-snapshot.tar.gz%7C)<my_oinkcode>

but I notice that the GET request that is submitted is:

GET https://www.snort.org/reg-rules/snortrules-snapshot-294.tar.gz.md5/<my_oinkcode> ==> 
SSL_connect:before/connect initialization

Is it normal that the rule path shows sub-rules and GET request shows reg-rules? Can anyone see any issues with 
my config or have any suggestions?

I have checked that ca-certificates is installed and updated. I continue to wait 30 minutes between attempts, 
reconfigs and re-attempts but having same 403 error each time. 

Google is no longer helpful. 

Any help appreciated.

My extra verbose error:

Config File Variable Debug /etc/snort/pulledpork.conf
    snort_path = /usr/local/bin/snort
    enablesid = /etc/snort/enablesid.conf
    modifysid = /etc/snort/modifysid.conf
    rule_path = /etc/snort/rules/snort.rules
    ignore = deleted.rules,experimental.rules,local.rules
    rule_url = ARRAY(0x22e5400)
    snort_version = 2.9.4
    sid_changelog = /var/log/sid_changes.log
    sid_msg = /etc/snort/sid-msg.map
    ips_policy = security
    config_path = /etc/snort/snort.conf
    sostub_path = /etc/snort/so_rules
    temp_path = /tmp
    distro = RHEL-6.0
    version = 0.6.0
    sorule_path = /usr/local/lib/snort_dynamicrules/
    disablesid = /etc/snort/disablesid.conf
    local_rules = /etc/snort/rules/local.rules
MISC (CLI and Autovar) Variable Debug:
    arch Def is: x86-64
    Config Path is: /etc/snort/pulledpork.conf
    Distro Def is: RHEL-6.0
    security policy specified
    local.rules path is: /etc/snort/rules/local.rules
    Rules file is: /etc/snort/rules/snort.rules
    Path to disablesid file: /etc/snort/disablesid.conf
    Path to enablesid file: /etc/snort/enablesid.conf
    Path to modifysid file: /etc/snort/modifysid.conf
    sid changes will be logged to: /var/log/sid_changes.log
    sid-msg.map Output Path is: /etc/snort/sid-msg.map
    Snort Version is: 2.9.4
    Snort Config File: /etc/snort/snort.conf
    Snort Path is: /usr/local/bin/snort
    SO Output Path is: /usr/local/lib/snort_dynamicrules/
    SO Stub File is: /etc/snort/so_rules
    Extra Verbose Flag is Set
    Verbose Flag is Set
    Base URL is: https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz| 
(https://www.snort.org/sub-rules/%7Csnortrules-snapshot.tar.gz%7C)<my_oinkcode>
Checking latest MD5 for snortrules-snapshot-294.tar.gz....
    Fetching md5sum for: snortrules-snapshot-294.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-294.tar.gz.md5/<my_oinkcode> ==> 
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
403 Forbidden
    A 403 error occurred, please wait for the 15 minute timeout
    to expire before trying again or specify the -n runtime switch
    You may also wish to verfiy your oinkcode, tarball name, and other configuration options
    Error 403 when fetching https://www.snort.org/sub-rules/snortrules-snapshot-294.tar.gz.md5 at 
/usr/local/bin/pulledpork.pl (http://pulledpork.pl) line 453
    main::md5file('<my_oinkcode>', 'snortrules-snapshot-294.tar.gz', '/tmp/', 'https://www.snort.org/sub-rules/&apos;) 
called at /usr/local/bin/pulledpork.pl (http://pulledpork.pl) line 1758

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net (mailto:Snort-users () lists sourceforge net)
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 




------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net (mailto:Snort-users () lists sourceforge net)
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: