[Snort-sigs] [Snort-users] Update your oinkmaster/pulled_porkconf files

Weir, Jason jason.weir at ...3410...
Tue Jun 29 10:41:56 EDT 2010


Me too - common guys this isn't that complicated

Oinkmaster output below

------------------------------------------------------------------------
------------------

Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2853.tar.gz... 
/usr/local/bin/oinkmaster.pl: Error: could not download from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2853.tar.gz. 

Output from wget follows:
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2853.tar.gz

Resolving www.snort.org... 68.177.102.20 

Connecting to www.snort.org|68.177.102.20|:80... connected. HTTP request
sent, awaiting response... 302 Found

Location:
https://s3.amazonaws.com/snort.org/rules/20100525/snortrules-snapshot-28
53.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1277818240&Signatu
re=Ey7O5ok2EPNau9DIKbFi8UpF3Hw%3D 

[following] --2010-06-29 09:30:10--
https://s3.amazonaws.com/snort.org/rules/20100525/snortrules-snapshot-28
53.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1277818240&Signatu
re=Ey7O5ok2EPNau9DIKbFi8UpF3Hw%3D

Resolving s3.amazonaws.com... 72.21.202.152 Connecting to
s3.amazonaws.com|72.21.202.152|:443... connected.

ERROR: cannot verify s3.amazonaws.com's certificate, issued by
`/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA
- G2':

Unable to locally verify the issuer's authority.

To connect to s3.amazonaws.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

------------------------------------------------------------------------
---------------------

-Jason


-----Original Message-----
From: Joel Esler [mailto:jesler at ...435...] 
Sent: Tuesday, June 29, 2010 10:19 AM
To: infosec posts
Cc: snort-sigs at lists.sourceforge.net; Snort Users List
Subject: Re: [Snort-sigs] [Snort-users] Update your
oinkmaster/pulled_porkconf files


On Jun 29, 2010, at 10:11 AM, infosec posts wrote:
> 
> I was using this URL in my update scripts:
> 
> wget 
> http://www.snort.org/pub-bin/oinkmaster.cgi/$oink_code/snortrules-snap
> shot-2853_s.tar.gz
> 
> Now I'm getting this: 
> http://www.snort.org/pub-bin/oinkmaster.cgi/$oink_code/snortrules-snap
> shot-2853_s.tar.gz
> Resolving www.snort.org... 68.177.102.20
> Connecting to www.snort.org|68.177.102.20|:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 2010-06-29 08:46:33 ERROR 403: Forbidden.
> 
> Did the URL above get broken, too?
> 
> 
> Since that didn't work I tried:
> wget 
> http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/$oink_c
> ode
> 
> but that redirected to an SSL connection with Amazon, which isn't open

> on my firewall from the machine in question.
> 
> 
> So,  I went to another machine and tried
> wget 
>
http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/$oink_cod
e
> wget
http://www.snort.org/reg-rules/snortrules-snapshot-2853_s.tar.gz/$oink_c
ode
> 
> Both of which are giving me 403: Forbidden.
> 
> Are the 2.8.5.3 URLs no longer supported?
> Is the "15-minute rule" being imposed by oink code now instead of 
> connecting IP? Is the '_s' filename still in use to distinguish 
> subscriber packs from non-subscribers?
> 
> (Note: Obviously, my actual oinkmaster code has been sanitized to 
> '$oink_code' in everything above.)

There is no need for the _s anymore.

http://vrt-sourcefire.blogspot.com/2010/06/important-rule-download-chang
e.html

I'll send this over to the web team.

Joel


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Snort-sigs mailing list