Re: Error 500 during update of rule-set using pulled-pork

["Michael Steele" <michaels () winsnort com>]

We talked about this several years ago, and I was told back then that there
was a fix coming.

 

Anyone using PP, and is a registered user, it is wise to only use the (
snort_version=x.x.x.x ). Relying on PP to derive the actual version from
snort will surely leave  PP with rule sets not getting updated, at some
point. This doesn't effect the Windows users as they have to use the (
snort_version=x.x.x.x ) switch in PP.

 

This is the way it has always been from the time Sourcefire split the rule
update into two separate groups, and how many years has that been.  

 

IMHO, give the rules to everyone, and registered users wait x number of
minutes or hours between updates.

 

Best regards,

Michael...

 

WINSNORT.com Management.

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com
*

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/>
http://www.snort.org *

*********************************************************

 

From: Joel Esler (jesler) [mailto:jesler () cisco com] 
Sent: Saturday, May 3, 2014 2:19 PM
To: Michael Steele
Cc: basant subba; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Error 500 during update of rule-set using
pulled-pork

 

Yes. We're fixing it.  

 

Not in the way you are proposing below, but in a much more comprehensive and
better way that is more streamlined not only for the user, but for us to
maintain as well.  

 

It should be done in the next couple of months, because it involves a
significant shift in the way that we package rules for use. 

-- 

Joel Esler

Sent from my iPhone


On May 3, 2014, at 13:32, "Michael Steele" <michaels () winsnort com
<mailto:michaels () winsnort com> > wrote:

For testing PP only; As long as you specify the version of rules to pull in
the pulledpork.conf  ( snort_version=x.x.x.x )  the version of snort you are
running is not relevant, or shouldn't be. PP should complete successfully.

 

I complained about this MONTHS / YEARS ago; For thirty days after a new
version of Snort is released there is confusion about the rule set /
configuration files compatibility for new users. Registered users can't get
access to the newly named rule set that matches the latest Snort version.

 

As a Registered user, you have just downloaded Snort 2.9.6.1, and the only
rule set available is 2.9.6.0. However, you see that the subscribers have a
Snort 2.9.6.1 rule set. It's confusing if the only rule set available to
registered users is 2.9.6.0, when they only have access to Snort 2.9.6.1.
It's not just the rule set, what about the new configuration files that are
embedded into the new 2.9.6.1 rule set.  By installing Snort 2.9.6.1 and
using the old Snort 2.9.6.0 configuration files from the 2.9.6.0 rule set,
are you using outdated configuration files?

 

All Sourcefire needs to do at the release of a new Snort version is:

 

Clone the current registered users 2.9.6.0 rule set

Add all the configuration files from 2.9.6.1 subscribers rule set to the
cloned 2.9.6.0 registered users rule set.

Rename the cloned 2.9.6.0 rule set to 2.9.6.1, and post it in the registered
users area.

 

Registered users are not getting access to any new Subscribers rules, but
all the confusion is gone. 

 

Best regards,

Michael...

 

WINSNORT.com <http://WINSNORT.com>  Management.

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com
*

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/>
http://www.snort.org *

*********************************************************

 

From: basant subba [mailto:basantsubba () gmail com] 
Sent: Saturday, May 3, 2014 10:45 AM
To: snort-users () lists sourceforge net
<mailto:snort-users () lists sourceforge net> 
Subject: Re: [Snort-users] Error 500 during update of rule-set using
pulled-pork

 

@Joe: 2961 ruleset is available only for subscribed user and not for
registered user. Is it mandatory to have a matching version of snort.conf
file and rule set i.e. if I want to download 2960 rule-set I must have a
2960 version snort.conf file ?

 

On Sat, May 3, 2014 at 7:18 PM, Michael Steele <michaels () winsnort com
<mailto:michaels () winsnort com> > wrote:

I'm not sure what your problem is, but upgrading Snort won't have any effect
on the way PP processes the rules. 

 

There is a lot of information out there from multiple people having the same
problem.

 

Try the link below and I'm confident the answer is in there somewhere.

 

http://tinyurl.com/n2l8n5g

 

Best regards,

Michael...

 

WINSNORT.com <http://WINSNORT.com>  Management.

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com
*

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/>
http://www.snort.org *

*********************************************************

 

From: basant subba [mailto:basantsubba () gmail com
<mailto:basantsubba () gmail com> ] 
Sent: Saturday, May 3, 2014 9:05 AM
To: snort-users () lists sourceforge net
<mailto:snort-users () lists sourceforge net> 
Subject: [Snort-users] Error 500 during update of rule-set using pulled-pork

 

I am getting the following error when I am trying to update my rule-set
using pulled pork

Checking latest MD5 for snortrules-snapshot-2956.tar.gz....
    Error 500 when fetching
http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz.md5 at
/usr/local/bin/pulledpork.pl <http://pulledpork.pl>  line 463
    main::md5file('*oinkcode', 'snortrules-snapshot-2956.tar.gz', '/tmp/',
'http://www.snort.org/reg-rules/&apos;) called at /usr/local/bin/pulledpork.pl
<http://pulledpork.pl>  line 1847

I am a registered user. Some one in the mailing list told me to upgrade my
snort. But even after up-garding my snort to version 2.9.6.1, I am still
getting the same error.

 

 

----------------------------------------------------------------------------
--
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>

Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!