Re: PulledPork recent issue

[James Lay <jlay () slave-tothe-box net>]

On 2014-10-09 08:44, Joel Esler (jesler) wrote:
> Try without the -w now. I think we may have fixed the issue?
>
> > On Oct 9, 2014, at 10:22 AM, James Lay <jlay () slave-tothe-box net
> > [5]> wrote:
> >
> > On 2014-10-09 07:42, Shirkdog wrote:
> >
> > > I updated this in svn, you can pass a "-w" option which will
> > > bypass
> > > the check.
> > >
> > > ---
> > > Michael Shirk
> > >
> > > On Thu, Oct 9, 2014 at 7:18 AM, James Lay
> > > <jlay () slave-tothe-box net [4]>
> > > wrote:
> > >
> > > > On Thu, 2014-10-09 at 07:01 -0400, Shirkdog wrote:
> > > >
> > > > There appears to be an issue with the certificate on
> > > > labs.snort.org [1].
> > > > I am
> > > > going add an option to pulled pork to skip verification of the
> > > > hostname for
> > > > SSL when something like this happens.
> > > >
> > > > On Oct 9, 2014 6:57 AM, "James Lay" <jlay () slave-tothe-box net
> > > > [2]>
> > > > wrote:
> > > >
> > > > Second day in a row I've seen this....anyone else having this
> > > > issue?
> > > >
> > > > Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
> > > > They Match
> > > > Done!
> > > > Checking latest MD5 for emerging.rules.tar.gz....
> > > > They Match
> > > > Done!
> > > > IP Blacklist download of
> > > > http://labs.snort.org/feeds/ip-filter.blf [3]....
> > > > Reading IP List...
> > > > Couldn't read /tmp/185.925288914831-black_list.rules - No such
> > > > file
> > > > or
> > > > directory
> > > > at /opt/bin/pulledpork.pl line 487
> > > > main::read_iplist('HASH(0xa3aa974)',
> > > > '/tmp/185.925288914831-black_list.rules') called at
> > > > /opt/bin/pulledpork.pl
> > > > line 378
> > > > main::rulefetch('open', 'IPBLACKLIST0', '/tmp/',
> > > > 'http://labs.snort.org/feeds/ip-filter.blf&apos;) called at
> > > > /opt/bin/pulledpork.pl line 1856
> > > >
> > > > Thanks for any insight.
> > > >
> > > > James
> > > >
> > > > Thanks...that helps...I can temporarily disable getting
> > > > blacklists
> > > > and
> > > > indeed it works like a champ.
> > > >
> > > > James
> >
> > Confirmed svn with -w working well..thanks again.
> >
> > James
> >
> > [08:20:04 gateway:~/snort/pulledpork$] sudo /opt/bin/pulledpork.pl
> > -P
> > -w -l -c /opt/etc/snort/pulledpork/pulledpork.conf
> >
> > http://code.google.com/p/pulledpork/ [6]
> > _____ ____
> > `----, )
> > `--==\ / PulledPork v0.7.1 - Swine Flu with a side of Ebola!
> > `--==\/
> > .-~~~~-.Y|\_ Copyright (C) 2009-2014 JJ Cummings
> > @_/ / 66_ cummingsj () gmail com [7]
> > | _(")
> > /-| ||'--' Rules give me wings!
> > _ _\
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
> > They Match
> > Done!
> > Checking latest MD5 for emerging.rules.tar.gz....
> > They Match
> > Done!
> > IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf
> > [8]....
> > Reading IP List...
> > Prepping rules from snortrules-snapshot-2962.tar.gz for work....
> > Done!
> > Prepping rules from emerging.rules.tar.gz for work....
> > Done!
> > Reading rules...
> > Generating Stub Rules....
> > Done
> > Reading rules...
> > Reading rules...
> > Writing Blacklist File
> > /opt/etc/snort/rules/iplists/default.blacklist....
> > Writing Blacklist Version 1647588404 to
> > /opt/etc/snort/rules/iplistsIPRVersion.dat....
> > Use of uninitialized value $bin in -f at /opt/bin/pulledpork.pl line
> >
> > 1005.
> > Processing /opt/etc/snort/pulledpork/disablesid.conf....
> > Modified 2 rules
> > Done
> > Setting Flowbit State....
> > Enabled 115 flowbits
> > Done
> > Writing /opt/etc/snort/rules/snort.rules....
> > Done
> > Generating sid-msg.map....
> > Done
> > Writing v1 /opt/etc/snort/sid-msg.map....
> > Done
> > Writing /var/log/sid_changes.log....
> > Done
> > Rule Stats...
> > New:-------108
> > Deleted:---21
> > Enabled Rules:----19996
> > Dropped Rules:----0
> > Disabled Rules:---19560
> > Total Rules:------39556
> > IP Blacklist Stats...
> > Total IPs:-----6990
> >
> > Done
> > Please review /var/log/sid_changes.log for additional details
> > Fly Piggy Fly!

Yea that's workin now sans -w Joel:

         They Match
         Done!
IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf....
Reading IP List...
Prepping rules from snortrules-snapshot-2962.tar.gz for work....
         Done!

Thank you!

James

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!