Snort mailing list archives
Re: md5 on snort rules not matching (oinkmaster)
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 19 Sep 2016 16:18:26 +0000
You should get a tarball. The rules are inside the tarball. I recommend you use PulledPork to deal with these tarballs, and not use oink master. -- Joel Esler Manager Talos Group http://www.talosintelligence.com On Sep 19, 2016, at 12:13 PM, Lesley Leposo <leposo () unoasystems com<mailto:leposo () unoasystems com>> wrote: Hi Joel, indeed, I have a free Snort account, with an oinkcode. Here are my issues: 1) I’m still unable to download valid registered snort rules after appending ?oinkcode=<my oinkcode> to the paths All I get is what appears to be a tarbomb are these registered snortrules only available to paying users? 2) the community rules, as per the website, do not require the oinkcode. nevertheless, i can’t get them to load using oinkmaster. All I get is what appears to be a tarbomb $ oinkmaster.pl -o /usr/local/etc/snort/rules/ -c -v -C /usr/local/etc/oinkmaster.conf Loading /usr/local/etc/oinkmaster.conf Adding file to ignore list: local.rules. Adding file to ignore list: deleted.rules. Adding file to ignore list: snort.conf. Found gzip binary in /usr/bin Found tar binary in /usr/bin Downloading file from https://snort.org/downloads/community/community-rules.tar.gz... --2016-09-19 19:00:52-- https://snort.org/downloads/community/community-rules.tar.gz Resolving snort.org<http://snort.org/> (snort.org<http://snort.org/>)... 104.16.64.75, 104.16.62.75, 104.16.65.75, ... Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|104.16.64.75|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/359/original/community-rules.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1474304627&Signature=YzChzO7uroWQ9klpBdowaOA5Fxw%3D [following] --2016-09-19 19:00:53-- https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/359/original/community-rules.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1474304627&Signature=YzChzO7uroWQ9klpBdowaOA5Fxw%3D Resolving s3.amazonaws.com<http://s3.amazonaws.com/> (s3.amazonaws.com<http://s3.amazonaws.com/>)... 52.216.0.251 Connecting to s3.amazonaws.com<http://s3.amazonaws.com/> (s3.amazonaws.com<http://s3.amazonaws.com/>)|52.216.0.251|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 277589 (271K) [application/x-tar] Saving to: '/var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster.AfQRlVaiDm/url.CETsIphUhf/snortrules.tar.gz' /var/folders/6y/kwwww__d14q6w0h8th05vhrw000 100%[========================================================================================>] 271.08K 161KB/s in 1.7s 2016-09-19 19:00:56 (161 KB/s) - '/var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster.AfQRlVaiDm/url.CETsIphUhf/snortrules.tar.gz' saved [277589/277589] Archive successfully downloaded, unpacking... /opt/local/bin/oinkmaster.pl: Error: https://snort.org/downloads/community/community-rules.tar.gz: no "rules" directory found in tar file. On 19 Sep 2016, at 6:54 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: That’s not the link to the Registered ruleset. In order to access the Registered ruleset, you must have an account on Snort.org<http://snort.org/>, and utilize your oinkcode to download the ruleset via oinkmaster. https://snort.org/oinkcodes -- Joel Esler Manager Talos Group http://www.talosintelligence.com<http://www.talosintelligence.com/> On Sep 19, 2016, at 9:25 AM, Lesley Leposo <leposo () unoasystems com<mailto:leposo () unoasystems com>> wrote: Hello, kindly let me know what’s going on. I’ve downloaded the following urls and the md5s are consistently not matching. Also it would seem that the snapshots are all pointing to the same file Any pointers? Here are the oinkmaster urls url = https://snort.org/downloads/registered/snortrules-snapshot-2976.tar.gz url = https://snort.org/downloads/registered/snortrules-snapshot-2982.tar.gz url = https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz url = https://snort.org/downloads/community/community-rules.tar.gz Here is the oinkmaster output depicting the error $ oinkmaster.pl -o /usr/local/etc/snort/rules/ -c -v -C /usr/local/etc/oinkmaster.conf Loading /usr/local/etc/oinkmaster.conf Adding file to ignore list: local.rules. Adding file to ignore list: deleted.rules. Adding file to ignore list: snort.conf. Found gzip binary in /usr/bin Found tar binary in /usr/bin Downloading file from https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz... --2016-09-19 14:18:14-- https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz Resolving snort.org<http://snort.org/> (snort.org<http://snort.org/>)... 104.16.66.75, 104.16.63.75, 104.16.62.75, ... Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|104.16.66.75|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://snort.org/ [following] --2016-09-19 14:18:15-- https://snort.org/ Reusing existing connection to snort.org<http://snort.org/>:443. HTTP request sent, awaiting response... 200 OK Length: 43611 (43K) [text/html] Saving to: '/var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster._sKOOq69Mu/url.DzhKeDdaib/snortrules.tar.gz' /var/folders/6y/kwwww__d14q6w0h8th05vhrw000 100%[========================================================================================>] 42.59K 77.6KB/s in 0.5s 2016-09-19 14:18:16 (77.6 KB/s) - '/var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster._sKOOq69Mu/url.DzhKeDdaib/snortrules.tar.gz' saved [43611/43611] gzip: /var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster._sKOOq69Mu/url.DzhKeDdaib/snortrules.tar.gz: not in gzip format /opt/local/bin/oinkmaster.pl: Error: https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz: integrity check on gzip file failed (file transfer failed or file in URL not in gzip format?). Oink, oink. Exiting... here are the isolated downloads and md5s $ curl https://snort.org/downloads/registered/snortrules-snapshot-2976.tar.gz -o /tmp/snortrules-snapshot-2976.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 84 0 84 0 0 55 0 --:--:-- 0:00:01 --:--:-- 55 p $ curl https://snort.org/downloads/registered/snortrules-snapshot-2982.tar.gz -o /tmp/snortrules-snapshot-2982.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 84 0 84 0 0 56 0 --:--:-- 0:00:01 --:--:-- 56 $ curl https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz -o /tmp/snortrules-snapshot-2983.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 84 0 84 0 0 51 0 --:--:-- 0:00:01 --:--:-- 51 $ curl https://snort.org/downloads/community/community-rules.tar.gz -o /tmp/community-rules.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 286 0 286 0 0 143 0 --:--:-- 0:00:01 --:--:-- 143 $ md5 /tmp/snortrules-snapshot-2976.tar.gz MD5 (/tmp/snortrules-snapshot-2976.tar.gz) = fece3271d650c597ffb3b8369cb893ed $ md5 /tmp/snortrules-snapshot-2982.tar.gz MD5 (/tmp/snortrules-snapshot-2982.tar.gz) = fece3271d650c597ffb3b8369cb893ed $ md5 /tmp/snortrules-snapshot-2983.tar.gz MD5 (/tmp/snortrules-snapshot-2983.tar.gz) = fece3271d650c597ffb3b8369cb893ed $ md5 /tmp/community-rules.tar.gz MD5 (/tmp/community-rules.tar.gz) = 821af6faea07c9b0f40f72dfb661f990 ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org<http://www.snort.org/> Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- md5 on snort rules not matching (oinkmaster) Lesley Leposo (Sep 19)
- Re: md5 on snort rules not matching (oinkmaster) Joel Esler (jesler) (Sep 19)
- Message not available
- Re: md5 on snort rules not matching (oinkmaster) Joel Esler (jesler) (Sep 19)
- Message not available
- Re: md5 on snort rules not matching (oinkmaster) Joel Esler (jesler) (Sep 19)