Re: Error 422 with snortrules-snapshot-2972.tar.gz

[Y M <snort () outlook com>]

Hi Andre,
Looking at the URL for the rules, it seems you are requesting the 2970 tarball which is eol according to the website 
https://www.snort.org/eol.
YM

Date: Fri, 26 Jun 2015 12:33:57 -0400
From: adimino () sempersecurus org
To: jesler () cisco com
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Error 422 with snortrules-snapshot-2972.tar.gz

Is anyone else seeing this issue?
I'm now getting Error 422 when downloading via pulledpork:
Checking latest MD5 for snortrules-snapshot-2970.tar.gz....     Error 422 when fetching 
https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at 
/home/snortscan/snort_src/pulledpork-read-only/pulledpork.pl line 482    
main::md5file('234f6e519d1ce6e4fa1762e7f9bb7f31fd65b2de', 'snortrules-snapshot-2970.tar.gz', '/tmp/', 
'https://www.snort.org/reg-rules/') called at /home/snortscan/snort_src/pulledpork-read-only/pulledpork.pl line 1875
I didn't see any problems with my pulledpork.conf as Scott observed.  This has worked reliably until now.
Andre'
On Mon, Jun 8, 2015 at 10:00 AM, Joel Esler (jesler) <jesler () cisco com> wrote:





You should probably swap step 3 and 2, since the links are verified after posting.  :)



--

Joel Esler

Open Source Manager

Threat Intelligence Team Lead

Talos Group

http://www.talosintel.com





On Jun 8, 2015, at 9:58 AM, Scott Link <linksg () slu edu> wrote:





Figured it out.




In pulledpork.conf, the line starting with rule_url= had a space between the last pipe and our oinkcode. Deleted the 
space, re-ran, success!






Looking at the backup pulledpork.conf files, I see two consecutive days where the file was backed up. The code didn't 
change between the days and the only thing different is the addition of the space.




Weird.




So, got 422?:


Try wget on the expected URL. If still 422, escalate to 
snort.org. If not 422, check pulledpork.conf for spurious rule_url entry.




Cheers,


Scott








On Fri, May 29, 2015 at 8:19 AM, Scott Link 
<linksg () slu edu> wrote:


Joel,



I have confirmed the oinkcode in pulledpork.conf matches what's in our account. When I first had this issue, I tried 
regenerating the code and updating pulledpork.conf and got the same result. Since then, I used wget to pull the ruleset 
and the
 file with the md5sum. I think that would also confirm I'm using a valid oinkcode.



Thanks,
Scott





On Fri, May 29, 2015 at 8:07 AM, Joel Esler (jesler) 
<jesler () cisco com> wrote:


Not sure what the issue is, I’m watching the logs on
Snort.org right now, and thousands of people seem to not be having a problem.  Is your oinkcode valid, no typos in it?



--

Joel Esler

Open Source Manager

Threat Intelligence Team Lead

Talos Group

http://www.talosintel.com







On May 29, 2015, at 7:49 AM, Scott Link <linksg () slu edu> wrote:




In the meantime, I've applied the latest Security Onion updates. I had to restart nsm service to get everything back 
online after, but sostat is now reporting all is well.



Retried rule-update and the error message is still there.



Any additional information I can make a run at tracking down and providing?



On Fri, May 22, 2015 at 6:51 PM, Joel Esler (jesler) 
<jesler () cisco com> wrote:



We are going to look into this.  However, everyone is pretty much out of the office until Tuesday. 



--
Joel Esler 
Sent from my iPhone




On May 22, 2015, at 4:28 PM, Shirkdog <shirkdog () gmail com> wrote:









On May 22, 2015 3:45 PM, "Scott Link" <linksg () slu edu> wrote:

>

> Hi,

>

> Getting the following error message:

> Running PulledPork.

>     Error 422 when fetching 
https://www.snort.org/reg-rules/snortrules-snapshot-2972.tar.gz.md5 at /usr/bin/pulledpork.pl line 463

>     main::md5file(' <oinkcode redacted>', 'snortrules-snapshot-2972.tar.gz', '/tmp/', 
> 'https://www.snort.org/reg-rules/&apos;) called at /usr/bin/pulledpork.pl
 line 1885

>     http://code.google.com/p/pulledpork/

>       _____ ____

>      `----,\    )

>       `--==\\  /    PulledPork v0.7.0 - Swine Flu!

>        `--==\\/

>      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings

>   @_/        /  66\_  
cummingsj () gmail com

>     |    \   \   _(")

>      \   /-| ||'--'  Rules give me wings!

>       \_\  \_\\

>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> Checking latest MD5 for snortrules-snapshot-2972.tar.gz....

>

> Searching the archive seems to point to server-side issue. Need anything else?


Try with Snort version 2.9.7.3







------------------------------------------------------------------------------

One dashboard for servers and applications across Physical-Virtual-Cloud


Widest out-of-the-box monitoring support with 50+ applications

Performance metrics, stats and reports that give you Actionable Insights

Deep dive visibility with transaction tracing using APM Insight.

http://ad.doubleclick.net/ddm/clk/290420510;117567292;y


_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit 
http://blog.snort.org to stay current on all the latest Snort news!










-- 


Scott Link
Manager, ITS Infrastructure Operations Security
Saint Louis University
www.slu.edu
314.977.9713





















-- 


Scott Link
Manager, ITS Infrastructure Operations Security
Saint Louis University
www.slu.edu
314.977.9713












-- 


Scott Link
Manager, ITS Infrastructure Operations Security
Saint Louis University
www.slu.edu
314.977.9713












------------------------------------------------------------------------------


_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!


-- 

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)


------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!