[Snort-sigs] Problems configuring Pulledpork
kevinfaust at ...2282...
Sat Jul 6 20:43:51 EDT 2013
I am having trouble configuring pulledpork to download the latest subscriber rules...I am seeing the following behavior (from pulledpork.pl -v -c /etc/snort/pulledpork.conf)
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz.md5/<my_oinkcode> ==> 200 OK (1s)
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz/<my_oinkcode> ==> 302 Found (1s)
** GET https://s3.amazonaws.com/snort-org/www/rules/20120426/snortrules-snapshot-2920.tar.gz?AWSAccessKeyId=AKIAJ65S5YX6KA26VRJQ&Expires=1373156183&Signature=rsUTCmYqQmc7BzkdhdQz84wRXrg%3D ==> 403 Forbidden
MISC (CLI and Autovar) Variable Debug:
arch Def is: x86-64
Config Path is: /etc/snort/pulledpork.conf
Distro Def is: Ubuntu-10.04
Disabled policy specified
local.rules path is: /etc/snort/rules/local.rules
Rules file is: /etc/snort/rules/snort.rules
Path to disablesid file: /etc/snort/disablesid.conf
Path to dropsid file: /etc/snort/dropsid.conf
Path to enablesid file: /etc/snort/enablesid.conf
Path to modifysid file: /etc/snort/modifysid.conf
sid changes will be logged to: /var/log/sid_changes.log
sid-msg.map Output Path is: /etc/snort/sid-msg.map
Snort Version is: 126.96.36.199
Snort Config File: /etc/snort/snort.conf
Snort Path is: /usr/sbin/snort
SO Output Path is: /usr/lib/snort_dynamicrules/
SO Stub File is: /etc/snort/rules/so_rules.rules
Verbose Flag is Set
Base URL is: https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode> https://www.snort.org/sub-rules/|opensource.gz|<my_oinkcode>
Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
Fetching md5sum for: snortrules-snapshot-2920.tar.gz.md5
most recent rules file digest: d57a807b52ff2b4cebbd1d25242e6bb9
Rules tarball download of snortrules-snapshot-2920.tar.gz....
Fetching rules file: snortrules-snapshot-2920.tar.gz
A 403 error occurred, please wait for the 15 minute timeout
to expire before trying again or specify the -n runtime switch
You may also wish to verfiy your oinkcode, tarball name, and other configuration options
this occurs with either rule configuration 1 or 2 below and of course waiting 15 minutes (or 15 hours for that matter) does nothing
but if I change to rule configuration 3 below, it works
However, I am not sure this is the correct version for my platform (Ubuntu 12.04) and am fairly certain this is not the latest subscriber version. BTW, how would one determine what the correct/latest version of rules are for their specific platform?
Any pointers are greatly appreciated.
More information about the Snort-sigs