[Snort-sigs] still having download problems

John York YorkJ at ...855...
Thu Jul 1 13:39:18 EDT 2010


apt-get install libcrypt-ssleay-perl fixed it like magic-thanks JJ!

From: JJC [mailto:cummingsj at ...2420...]
Sent: Thursday, July 01, 2010 1:27 PM
To: Crook, Parker
Cc: John York; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] still having download problems

Ok, this seems to be an issue that stems from the fact that this version of Ubuntu does not have some required perl modules (even though if installed from CPAN they are dependencies)  The short of it is that you need Crypt::SSLeay and for whatever reason the maintainers did not include this dependency... but I'm not gonna get into that discussion today.  The following will fix the problem in Ubuntu.

apt-get install libcrypt-ssleay-perl

Other required modules, if you don't have them (from the repos, not CPAN) are:

libwww-perl
libarchive-tar-perl  (Archive::Tar)
And of course you also need to be sure that all of your root certs are up to date (I know that this has been covered, but I am covering again for the sake of completeness:

sudo apt-get install ca-certificates
sudo update-ca-certificates

That should just about cover it.. all of the reports were from Ubuntu 8x x66_64 and so fourth...

JJC


On Thu, Jul 1, 2010 at 9:02 AM, Crook, Parker <Parker_Crook at ...2899...<mailto:Parker_Crook at ...2899...>> wrote:
JJ,

I just upgraded my LWP::Simple to 5.836 and still having this issue.  I also ran update-ca-certificates to cover that base.  Just curious, is this only happening on Debain and Debain-based distros?

-Parker

P.S.  If I am still having an issue on this, I will setup a lab at home tonight to test this out on OS X, Debian, and if someone is having issues on another distro, let me know and I'll see if can't test it out there too.
________________________________
From: JJC [mailto:cummingsj at ...2420...<mailto:cummingsj at ...2420...>]
Sent: Thursday, July 01, 2010 10:51 AM
To: John York
Cc: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...3414...t>
Subject: Re: [Snort-sigs] still having download problems

Do you know what version of LWP::SImple you are using?
On Thu, Jul 1, 2010 at 8:32 AM, John York <YorkJ at ...855...<mailto:YorkJ at ...253...855...>> wrote:
I've updated to pulledpork 0.4.2 on my Ubuntu 8.04 box.  I also tried to update the CA certs with apt-get, but they are already up to date.  When I do a packet trace, I see the box go to Snort and ask for the rules.  Snort replies that the rules have moved to s3.amazonaws.com<http://s3.amazonaws.com>.  At that point, my box just gives up--I don't see any traffic where it even tries to connect with amazon.  Any ideas?  I tried manually changing pp so it asked for sub-rules instead of reg-rules, but both do the same thing.  The pp debug output and https conversation are below, mangled to protect the oinkcode.

Thanks
John

PP debug

me at ...3503...:~$ sudo apt-get install ca-certificates
[sudo] password for me:
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

me at ...3503...:~$ sudo ./ppgo

 http://code.google.com/p/pulledpork/
     _____ ____
    `----,\    )
     `--==\\  /    Pulled_Pork v0.4.2
      `--==\\/
    .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
 @_/        /  66\_  cummingsj at ...2420...<mailto:cummingsj at ...2420...>
   |    \   \   _(")
    \   /-| ||'--'  Rules give me wings!
     \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Variable Debug:
       Config Path is: /home/bryorkj/snortrules/pulledpork/etc/pulledpork.conf
       Path to disablesid file: /home/bryorkj/snortrules/pulledpork/etc/disablesid.conf
       Verbose Flag is Set
       Extra Verbose Flag is Set
Config File Variable Debug /home/bryorkj/snortrules/pulledpork/etc/pulledpork.conf
       snort_path = /usr/local/bin/snort
       pid_path = /var/run/snortd.pid
       rule_path = /usr/local/etc/snort/rules/snort.rules
       ignore = deleted,experimental,local
       rule_file = snortrules-snapshot-2860.tar.gz
       sid_changelog = /var/log/sid_changes.log
       sid_msg = /usr/local/etc/snort/sid-msg.map
       config_path = /usr/local/etc/snort/snort.conf
       sostub_path = /usr/local/etc/snort/rules/so_rules.rules
       oinkcode = 7025mangle-mangle7813
       temp_path = /tmp
       distro = Ubuntu-8.04
       base_url = http://www.snort.org/
       sorule_path = /usr/local/lib/snort_dynamicrules/
       version = 0.4.2
       disablesid = /usr/local/etc/snort/disablesid.conf
       local_rules = /usr/local/etc/snort/rules/local.rules
Checking latest MD5....
       Fetching md5sum for: snortrules-snapshot-2860.tar.gz.md5
       most recent rules file digest: d8b7b694e4f21b7406e3c86a32b362bf
Rules tarball download....
       Fetching rules file: snortrules-snapshot-2860.tar.gz
       Error 501 when fetching snortrules-snapshot-2860.tar.gz at /home/bryorkj/snortrules/pulledpork/pulledpork.pl<http://pulledpork.pl> line 264.
       going to get this url:  http://www.snort.org/sub-rules/snortrules-snapshot-2860.tar.gz/7025mangle-mangle7813


HTTP conversation

GET /sub-rules/snortrules-snapshot-2860.tar.gz/7025mangle-mangle7813 HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.snort.org<http://www.snort.org>
User-Agent: LWP::Simple/5.820

HTTP/1.0 302 Moved Temporarily
Date: Thu, 01 Jul 2010 13:57:15 GMT
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
X-Runtime: 448
Cache-Control: no-cache
Set-Cookie: _radiant_session=BAh7BjoPmangle-mangleDhmNDA%3D--777377mangle-mangled8cc; path=/; HttpOnly
Location: https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangleQ&Expires=1277992665&Signature=mangle-mangle3D
Content-Length<https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangleQ&Expires=1277992665&Signature=mangle-mangle3D%0d%0aContent-Length>: 251
Status: 302
Content-Type: text/html; charset=utf-8
X-Cache: MISS from web610.br.vccs.edu<http://web610.br.vccs.edu>
Via: 1.0 web610.br.vccs.edu:8080<http://web610.br.vccs.edu:8080> (http_scan/4.0.2.6.19)
Connection: close

<html><body>You are being <a href="https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangle&Expires=1277992665&Signature=7ZFmangle-mangle4%3D<https://s3.amazonaws.com/snort.org/rules/20100629/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=AKImangle-mangle&Expires=1277992665&Signature=7ZFmangle-mangle4%3D>">redirected</a>.</body></html>



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first<http://sprint.com/first> -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100701/82e96bff/attachment.html>


More information about the Snort-sigs mailing list