[Snort-sigs] Problems configuring Pulledpork

Jeremy Hoel jthoel at ...2420...
Sat Jul 6 20:51:58 EDT 2013


2.9.2 I believe is End Of Life  You might want to upgrade to a newer
version and try again.
On Jul 6, 2013 5:49 PM, "Kevin Faust" <kevinfaust at ...2282...> wrote:

> I am having trouble configuring pulledpork to download the latest
> subscriber rules...I am seeing the following behavior (from pulledpork.pl-v -c /etc/snort/pulledpork.conf)
>
> ** GET
> https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz.md5/<my_oinkcode>
> ==> 200 OK (1s)
> ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz/<my_oinkcode>
> ==> 302 Found (1s)
> ** GET
> https://s3.amazonaws.com/snort-org/www/rules/20120426/snortrules-snapshot-2920.tar.gz?AWSAccessKeyId=AKIAJ65S5YX6KA26VRJQ&Expires=1373156183&Signature=rsUTCmYqQmc7BzkdhdQz84wRXrg%3D==> 403 Forbidden
>
> MISC (CLI and Autovar) Variable Debug:
>         arch Def is: x86-64
>         Config Path is: /etc/snort/pulledpork.conf
>         Distro Def is: Ubuntu-10.04
>         Disabled policy specified
>         local.rules path is: /etc/snort/rules/local.rules
>         Rules file is: /etc/snort/rules/snort.rules
>         Path to disablesid file: /etc/snort/disablesid.conf
>         Path to dropsid file: /etc/snort/dropsid.conf
>         Path to enablesid file: /etc/snort/enablesid.conf
>         Path to modifysid file: /etc/snort/modifysid.conf
>         sid changes will be logged to: /var/log/sid_changes.log
>         sid-msg.map Output Path is: /etc/snort/sid-msg.map
>         Snort Version is: 2.9.2.0
>         Snort Config File: /etc/snort/snort.conf
>         Snort Path is: /usr/sbin/snort
>         SO Output Path is: /usr/lib/snort_dynamicrules/
>         SO Stub File is: /etc/snort/rules/so_rules.rules
>         Verbose Flag is Set
>         Base URL is:
> https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode>
> https://www.snort.org/sub-rules/|opensource.gz|<my_oinkcode>
> Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
>         Fetching md5sum for: snortrules-snapshot-2920.tar.gz.md5
>         most recent rules file digest: d57a807b52ff2b4cebbd1d25242e6bb9
> Rules tarball download of snortrules-snapshot-2920.tar.gz....
>         Fetching rules file: snortrules-snapshot-2920.tar.gz
>         A 403 error occurred, please wait for the 15 minute timeout
>         to expire before trying again or specify the -n runtime switch
>         You may also wish to verfiy your oinkcode, tarball name, and other
> configuration options
>
> this occurs with either rule configuration 1 or 2 below and of course
> waiting 15 minutes (or 15 hours for that matter) does nothing
>
> 1) rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
> <my_oinkcode>
> 2) rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|
> <my_oinkcode>
>
> but if I change to rule configuration 3 below, it works
>
> 3) rule_url=
> https://www.snort.org/reg-rules/|snortrules-snapshot-2931.tar.gz|
> <my_oinkcode>
>
> However, I am not sure this is the correct version for my platform (Ubuntu
> 12.04) and am fairly certain this is not the latest subscriber version.
>  BTW, how would one determine what the correct/latest version of rules are
> for their specific platform?
>
> Any pointers are greatly appreciated.
>
> Thanks,
>
> Kevin
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130706/6caf73ff/attachment.html>


More information about the Snort-sigs mailing list