Re: PulledPork Stop working

["Joel Esler (jesler)" <jesler () cisco com>]

As mentioned earlier in another thread the ruleset for 2980 is not out yet, (should be out probably Thursday), 2976’s 
rules work fine.

--
Joel Esler
Manager, Talos Group




On Dec 1, 2015, at 5:37 PM, Rafael Leiva-Ochoa <spawn () rloteck net<mailto:spawn () rloteck net>> wrote:

Hi All,

  I am getting the following error with pulledpork:


Last login: Tue Dec  1 14:14:43 2015 from 172.16.1.39

[root@snort-sensor1 ~]# pulledpork.pl<http://pulledpork.pl/> -vv -c /etc/snort/pulledpork.conf -l



    https://github.com/shirkdog/pulledpork

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!

       `--==\\/

     .-~~~~-.Y|\\_<smb://_>  Copyright (C) 2009-2015 JJ Cummings

  @_/        /  66\_  cummingsj () gmail com<mailto:cummingsj () gmail com>

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Config File Variable Debug /etc/snort/pulledpork.conf

snort_path = /usr/local/bin/snort

enablesid = /etc/snort/enablesid.conf

black_list = /etc/snort/rules/black_list.rules

modifysid = /etc/snort/modifysid.conf

rule_path = /etc/snort/rules/snort.rules

ignore = deleted.rules,experimental.rules,local.rules

snort_control = /usr/local/bin/snort_control

rule_url = ARRAY(0x16a3220)

sid_msg_version = 1

sid_changelog = /var/log/sid_changes.log

sid_msg = /etc/snort/sid-msg.map

backup_file = /tmp/pp_backup

ips_policy = security

config_path = /etc/snort/snort.conf

temp_path = /tmp

distro = Centos-5-4

version = 0.7.2

sorule_path = /usr/local/lib/snort_dynamicrules/

disablesid = /etc/snort/disablesid.conf

dropsid = /etc/snort/dropsid.conf

local_rules = /etc/snort/rules/local.rules

MISC (CLI and Autovar) Variable Debug:

arch Def is: x86-64

Operating System is: linux

CA Certificate File is: OS Default

Config Path is: /etc/snort/pulledpork.conf

Distro Def is: Centos-5-4

security policy specified

local.rules path is: /etc/snort/rules/local.rules

Rules file is: /etc/snort/rules/snort.rules

Path to disablesid file: /etc/snort/disablesid.conf

Path to dropsid file: /etc/snort/dropsid.conf

Path to enablesid file: /etc/snort/enablesid.conf

Path to modifysid file: /etc/snort/modifysid.conf

sid changes will be logged to: /var/log/sid_changes.log

sid-msg.map Output Path is: /etc/snort/sid-msg.map

Snort Version is: 2.9.8.0

Snort Config File: /etc/snort/snort.conf

Snort Path is: /usr/local/bin/snort

SO Output Path is: /usr/local/lib/snort_dynamicrules/

Will process SO rules

Logging Flag is Set

Extra Verbose Flag is Set

Verbose Flag is Set

File(s) to ignore = deleted.rules,experimental.rules,local.rules

Base URL is: https://www.snort.org/rules/|snortrules-snapshot.tar.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048 
https://snort.org/downloads/community/|community-rules.tar.gz|Community 
http://talosintel.com/feeds/ip-filter.blf|IPBLACKLIST|open 
https://www.snort.org/rules/|opensource.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048

Checking latest MD5 for snortrules-snapshot-2980.tar.gz....

Fetching md5sum for: snortrules-snapshot-2980.tar.gz.md5

** GET https://www.snort.org/reg-rules/snortrules-snapshot-2980.tar.gz.md5/b26b2f91e7f8ac8a3bf091999b07f9a458e39048 ==> 
SSL_connect:before/connect initialization

SSL_connect:SSLv2/v3 write client hello A

SSL_connect:SSLv3 read server hello A

SSL_connect:SSLv3 read server certificate A

SSL_connect:SSLv3 read server key exchange A

SSL_connect:SSLv3 read server done A

SSL_connect:SSLv3 write client key exchange A

SSL_connect:SSLv3 write change cipher spec A

SSL_connect:SSLv3 write finished A

SSL_connect:SSLv3 flush data

SSL_connect:SSLv3 read server session ticket A

SSL_connect:SSLv3 read finished A

422 Unprocessable Entity (1s)

Error 422 when fetching https://www.snort.org/rules/snortrules-snapshot-2980.tar.gz.md5 at 
/usr/local/bin/pulledpork.pl<http://pulledpork.pl/> line 516

main::md5file('b26b2f91e7f8ac8a3bf091999b07f9a458e39048', 'snortrules-snapshot-2980.tar.gz', '/tmp/', 
'https://www.snort.org/rules/&apos;) called at /usr/local/bin/pulledpork.pl<http://pulledpork.pl/> line 1937

[root@snort-sensor1 ~]#


I looked at the snort archive, and it was an issue before. Any idea how to fix it?

Thanks,

Rafael

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!