Re: Error 422 with snortrules-snapshot-2972.tar.gz

[Scott Link <linksg () slu edu>]

Figured it out.

In pulledpork.conf, the line starting with rule_url= had a space between
the last pipe and our oinkcode. Deleted the space, re-ran, success!


Looking at the backup pulledpork.conf files, I see two consecutive days
where the file was backed up. The code didn't change between the days and
the only thing different is the addition of the space.

Weird.

So, got 422?:
Try wget on the expected URL. If still 422, escalate to snort.org. If not
422, check pulledpork.conf for spurious rule_url entry.

Cheers,
Scott


On Fri, May 29, 2015 at 8:19 AM, Scott Link <linksg () slu edu> wrote:

> Joel,
>
> I have confirmed the oinkcode in pulledpork.conf matches what's in our
> account. When I first had this issue, I tried regenerating the code and
> updating pulledpork.conf and got the same result. Since then, I used wget
> to pull the ruleset and the file with the md5sum. I think that would also
> confirm I'm using a valid oinkcode.
>
> Thanks,
> Scott
>
> On Fri, May 29, 2015 at 8:07 AM, Joel Esler (jesler) <jesler () cisco com>
> wrote:
>
> >  Not sure what the issue is, I’m watching the logs on Snort.org right
> > now, and thousands of people seem to not be having a problem.  Is your
> > oinkcode valid, no typos in it?
> >
> >  --
> > *Joel Esler*
> > Open Source Manager
> > Threat Intelligence Team Lead
> > Talos Group
> > http://www.talosintel.com
> >
> >   On May 29, 2015, at 7:49 AM, Scott Link <linksg () slu edu> wrote:
> >
> >  In the meantime, I've applied the latest Security Onion updates. I had
> > to restart nsm service to get everything back online after, but sostat is
> > now reporting all is well.
> >
> >  Retried rule-update and the error message is still there.
> >
> >  Any additional information I can make a run at tracking down and
> > providing?
> >
> > On Fri, May 22, 2015 at 6:51 PM, Joel Esler (jesler) <jesler () cisco com>
> > wrote:
> >
> > >  We are going to look into this.  However, everyone is pretty much out
> > > of the office until Tuesday.
> > >
> > > --
> > > *Joel Esler*
> > > Sent from my iPhone
> > >
> > > On May 22, 2015, at 4:28 PM, Shirkdog <shirkdog () gmail com> wrote:
> > >
> > >
> > >  On May 22, 2015 3:45 PM, "Scott Link" <linksg () slu edu> wrote:
> > > > Hi,
> > > >
> > > > Getting the following error message:
> > > > Running PulledPork.
> > > >     Error 422 when fetching
> > > https://www.snort.org/reg-rules/snortrules-snapshot-2972.tar.gz.md5 at
> > > /usr/bin/pulledpork.pl line 463
> > > >     main::md5file(' <oinkcode redacted>',
> > > 'snortrules-snapshot-2972.tar.gz', '/tmp/', '
> > > https://www.snort.org/reg-rules/&apos;) called at /usr/bin/pulledpork.pl
> > > line 1885
> > > >     http://code.google.com/p/pulledpork/
> > > >       _____ ____
> > > >      `----,\    )
> > > >       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
> > > >        `--==\\/
> > > >      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
> > > >   @_/        /  66\_  cummingsj () gmail com
> > > >     |    \   \   _(")
> > > >      \   /-| ||'--'  Rules give me wings!
> > > >       \_\  \_\\
> > > >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > Checking latest MD5 for snortrules-snapshot-2972.tar.gz....
> > > >
> > > > Searching the archive seems to point to server-side issue. Need
> > > anything else?
> > >
> > > Try with Snort version 2.9.7.3
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > One dashboard for servers and applications across Physical-Virtual-Cloud
> > > Widest out-of-the-box monitoring support with 50+ applications
> > > Performance metrics, stats and reports that give you Actionable Insights
> > > Deep dive visibility with transaction tracing using APM Insight.
> > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > >
> > >  _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> >
> >
> >  --
> >  Scott Link
> > Manager, ITS Infrastructure Operations Security
> > Saint Louis University
> > www.slu.edu
> > 314.977.9713
>
>
> --
> Scott Link
> Manager, ITS Infrastructure Operations Security
> Saint Louis University
> www.slu.edu
> 314.977.9713



-- 
Scott Link
Manager, ITS Infrastructure Operations Security
Saint Louis University
www.slu.edu
314.977.9713

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!