[Snort-sigs] still having download problems

John York YorkJ at ...855...
Thu Jul 1 10:32:02 EDT 2010

I've updated to pulledpork 0.4.2 on my Ubuntu 8.04 box.  I also tried to update the CA certs with apt-get, but they are already up to date.  When I do a packet trace, I see the box go to Snort and ask for the rules.  Snort replies that the rules have moved to s3.amazonaws.com.  At that point, my box just gives up--I don't see any traffic where it even tries to connect with amazon.  Any ideas?  I tried manually changing pp so it asked for sub-rules instead of reg-rules, but both do the same thing.  The pp debug output and https conversation are below, mangled to protect the oinkcode.


PP debug

me at ...3503...:~$ sudo apt-get install ca-certificates
[sudo] password for me: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.  

me at ...3503...:~$ sudo ./ppgo

      _____ ____
     `----,\    )
      `--==\\  /    Pulled_Pork v0.4.2
     .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
  @_/        /  66\_  cummingsj at ...2420...
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\

Command Line Variable Debug:
        Config Path is: /home/bryorkj/snortrules/pulledpork/etc/pulledpork.conf
        Path to disablesid file: /home/bryorkj/snortrules/pulledpork/etc/disablesid.conf
        Verbose Flag is Set
        Extra Verbose Flag is Set
Config File Variable Debug /home/bryorkj/snortrules/pulledpork/etc/pulledpork.conf
        snort_path = /usr/local/bin/snort
        pid_path = /var/run/snortd.pid
        rule_path = /usr/local/etc/snort/rules/snort.rules
        ignore = deleted,experimental,local
        rule_file = snortrules-snapshot-2860.tar.gz
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /usr/local/etc/snort/sid-msg.map
        config_path = /usr/local/etc/snort/snort.conf
        sostub_path = /usr/local/etc/snort/rules/so_rules.rules
        oinkcode = 7025mangle-mangle7813
        temp_path = /tmp
        distro = Ubuntu-8.04
        base_url = http://www.snort.org/
        sorule_path = /usr/local/lib/snort_dynamicrules/
        version = 0.4.2
        disablesid = /usr/local/etc/snort/disablesid.conf
        local_rules = /usr/local/etc/snort/rules/local.rules
Checking latest MD5....
        Fetching md5sum for: snortrules-snapshot-2860.tar.gz.md5
        most recent rules file digest: d8b7b694e4f21b7406e3c86a32b362bf
Rules tarball download....
        Fetching rules file: snortrules-snapshot-2860.tar.gz
        Error 501 when fetching snortrules-snapshot-2860.tar.gz at /home/bryorkj/snortrules/pulledpork/pulledpork.pl line 264.
        going to get this url:  http://www.snort.org/sub-rules/snortrules-snapshot-2860.tar.gz/7025mangle-mangle7813

HTTP conversation

GET /sub-rules/snortrules-snapshot-2860.tar.gz/7025mangle-mangle7813 HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.snort.org
User-Agent: LWP::Simple/5.820
HTTP/1.0 302 Moved Temporarily
Date: Thu, 01 Jul 2010 13:57:15 GMT
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
X-Runtime: 448
Cache-Control: no-cache
Set-Cookie: _radiant_session=BAh7BjoPmangle-mangleDhmNDA%3D--777377mangle-mangled8cc; path=/; HttpOnly
Location: https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangleQ&Expires=1277992665&Signature=mangle-mangle3D
Content-Length: 251
Status: 302
Content-Type: text/html; charset=utf-8
X-Cache: MISS from web610.br.vccs.edu
Via: 1.0 web610.br.vccs.edu:8080 (http_scan/
Connection: close
<html><body>You are being <a href="https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangle&Expires=1277992665&Signature=7ZFmangle-mangle4%3D">redirected</a>.</body></html>

More information about the Snort-sigs mailing list