Snort mailing list archives
Re: Problems configuring Pulledpork
From: Kevin Faust <kevinfaust () mac com>
Date: Sun, 07 Jul 2013 08:54:26 -0400
Built (and upgraded to Snort 2.9.5) and still have basically the same problem accessing the correct ruleset (log below)
Thoughts?
root@antec-300:~# pulledpork.pl -v -c /etc/snort/pulledpork.conf | tee PPLOG10
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cummingsj () gmail com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Config File Variable Debug /etc/snort/pulledpork.conf
snort_path = /usr/sbin/snort
enablesid = /etc/snort/enablesid.conf
modifysid = /etc/snort/modifysid.conf
pid_path = /var/run/snort_eth0.pid
rule_path = /etc/snort/rules/snort.rules
ignore = deleted.rules,experimental.rules,local.rules
rule_url = ARRAY(0x15bc3a8)
sid_changelog = /var/log/sid_changes.log
sid_msg = /etc/snort/sid-msg.map
config_path = /etc/snort/snort.conf
sostub_path = /etc/snort/rules/so_rules.rules
temp_path = /tmp
distro = Ubuntu-12.04
version = 0.6.0
sorule_path = /usr/lib/snort_dynamicrules/
disablesid = /etc/snort/disablesid.conf
dropsid = /etc/snort/dropsid.conf
local_rules = /etc/snort/rules/local.rules
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5/<my_oinkcode> ==> 403 Forbidden
Error 403 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5 at
/usr/local/bin/pulledpork.pl line 453
main::md5file('<my_oinkcode>', 'snortrules-snapshot-2950.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/')
called at /usr/local/bin/pulledpork.pl line 1758
MISC (CLI and Autovar) Variable Debug:
arch Def is: x86-64
Config Path is: /etc/snort/pulledpork.conf
Distro Def is: Ubuntu-12.04
Disabled policy specified
local.rules path is: /etc/snort/rules/local.rules
Rules file is: /etc/snort/rules/snort.rules
Path to disablesid file: /etc/snort/disablesid.conf
Path to dropsid file: /etc/snort/dropsid.conf
Path to enablesid file: /etc/snort/enablesid.conf
Path to modifysid file: /etc/snort/modifysid.conf
sid changes will be logged to: /var/log/sid_changes.log
sid-msg.map Output Path is: /etc/snort/sid-msg.map
Snort Version is: 2.9.5.0
Snort Config File: /etc/snort/snort.conf
Snort Path is: /usr/sbin/snort
SO Output Path is: /usr/lib/snort_dynamicrules/
SO Stub File is: /etc/snort/rules/so_rules.rules
Verbose Flag is Set
Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<my_oinkcode>
https://www.snort.org/reg-rules/|opensource.gz|<my_oinkcode>
Checking latest MD5 for snortrules-snapshot-2950.tar.gz....
Fetching md5sum for: snortrules-snapshot-2950.tar.gz.md5
A 403 error occurred, please wait for the 15 minute timeout
to expire before trying again or specify the -n runtime switch
You may also wish to verfiy your oinkcode, tarball name, and other configuration options
On Jul 7, 2013, at 8:14 AM, Joel Esler wrote:
Correct. -- Joel Esler Sent from my iPad On Jul 6, 2013, at 8:51 PM, Jeremy Hoel <jthoel () gmail com> wrote:2.9.2 I believe is End Of Life You might want to upgrade to a newer version and try again. On Jul 6, 2013 5:49 PM, "Kevin Faust" <kevinfaust () mac com> wrote: I am having trouble configuring pulledpork to download the latest subscriber rules...I am seeing the following behavior (from pulledpork.pl -v -c /etc/snort/pulledpork.conf) ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz.md5/<my_oinkcode> ==> 200 OK (1s) ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz/<my_oinkcode> ==> 302 Found (1s) ** GET https://s3.amazonaws.com/snort-org/www/rules/20120426/snortrules-snapshot-2920.tar.gz?AWSAccessKeyId=AKIAJ65S5YX6KA26VRJQ&Expires=1373156183&Signature=rsUTCmYqQmc7BzkdhdQz84wRXrg%3D ==> 403 Forbidden MISC (CLI and Autovar) Variable Debug: arch Def is: x86-64 Config Path is: /etc/snort/pulledpork.conf Distro Def is: Ubuntu-10.04 Disabled policy specified local.rules path is: /etc/snort/rules/local.rules Rules file is: /etc/snort/rules/snort.rules Path to disablesid file: /etc/snort/disablesid.conf Path to dropsid file: /etc/snort/dropsid.conf Path to enablesid file: /etc/snort/enablesid.conf Path to modifysid file: /etc/snort/modifysid.conf sid changes will be logged to: /var/log/sid_changes.log sid-msg.map Output Path is: /etc/snort/sid-msg.map Snort Version is: 2.9.2.0 Snort Config File: /etc/snort/snort.conf Snort Path is: /usr/sbin/snort SO Output Path is: /usr/lib/snort_dynamicrules/ SO Stub File is: /etc/snort/rules/so_rules.rules Verbose Flag is Set Base URL is: https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode> https://www.snort.org/sub-rules/|opensource.gz|<my_oinkcode> Checking latest MD5 for snortrules-snapshot-2920.tar.gz.... Fetching md5sum for: snortrules-snapshot-2920.tar.gz.md5 most recent rules file digest: d57a807b52ff2b4cebbd1d25242e6bb9 Rules tarball download of snortrules-snapshot-2920.tar.gz.... Fetching rules file: snortrules-snapshot-2920.tar.gz A 403 error occurred, please wait for the 15 minute timeout to expire before trying again or specify the -n runtime switch You may also wish to verfiy your oinkcode, tarball name, and other configuration options this occurs with either rule configuration 1 or 2 below and of course waiting 15 minutes (or 15 hours for that matter) does nothing 1) rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<my_oinkcode> 2) rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode> but if I change to rule configuration 3 below, it works 3) rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-2931.tar.gz|<my_oinkcode> However, I am not sure this is the correct version for my platform (Ubuntu 12.04) and am fairly certain this is not the latest subscriber version. BTW, how would one determine what the correct/latest version of rules are for their specific platform? Any pointers are greatly appreciated. Thanks, Kevin ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Problems configuring Pulledpork Kevin Faust (Jul 06)
- Re: Problems configuring Pulledpork Jeremy Hoel (Jul 06)
- Re: Problems configuring Pulledpork Joel Esler (Jul 07)
- Re: Problems configuring Pulledpork Kevin Faust (Jul 07)
- Re: Problems configuring Pulledpork waldo kitty (Jul 07)
- Re: Problems configuring Pulledpork Joel Esler (Jul 07)
- Re: Problems configuring Pulledpork Jeremy Hoel (Jul 06)