[Snort-sigs] Problems configuring Pulledpork

Kevin Faust kevinfaust at ...2282...
Sun Jul 7 08:54:26 EDT 2013


Built (and upgraded to Snort 2.9.5) and still have basically the same problem accessing the correct ruleset (log below)

Thoughts?



root at ...3826...:~# pulledpork.pl -v -c /etc/snort/pulledpork.conf  | tee PPLOG10

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
  @_/        /  66\_  cummingsj at ...2420...
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config File Variable Debug /etc/snort/pulledpork.conf
	snort_path = /usr/sbin/snort
	enablesid = /etc/snort/enablesid.conf
	modifysid = /etc/snort/modifysid.conf
	pid_path = /var/run/snort_eth0.pid
	rule_path = /etc/snort/rules/snort.rules
	ignore = deleted.rules,experimental.rules,local.rules
	rule_url = ARRAY(0x15bc3a8)
	sid_changelog = /var/log/sid_changes.log
	sid_msg = /etc/snort/sid-msg.map
	config_path = /etc/snort/snort.conf
	sostub_path = /etc/snort/rules/so_rules.rules
	temp_path = /tmp
	distro = Ubuntu-12.04
	version = 0.6.0
	sorule_path = /usr/lib/snort_dynamicrules/
	disablesid = /etc/snort/disablesid.conf
	dropsid = /etc/snort/dropsid.conf
	local_rules = /etc/snort/rules/local.rules
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5/<my_oinkcode> ==> 403 Forbidden
	Error 403 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 453
	main::md5file('<my_oinkcode>', 'snortrules-snapshot-2950.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/local/bin/pulledpork.pl line 1758
MISC (CLI and Autovar) Variable Debug:
	arch Def is: x86-64
	Config Path is: /etc/snort/pulledpork.conf
	Distro Def is: Ubuntu-12.04
	Disabled policy specified
	local.rules path is: /etc/snort/rules/local.rules
	Rules file is: /etc/snort/rules/snort.rules
	Path to disablesid file: /etc/snort/disablesid.conf
	Path to dropsid file: /etc/snort/dropsid.conf
	Path to enablesid file: /etc/snort/enablesid.conf
	Path to modifysid file: /etc/snort/modifysid.conf
	sid changes will be logged to: /var/log/sid_changes.log
	sid-msg.map Output Path is: /etc/snort/sid-msg.map
	Snort Version is: 2.9.5.0
	Snort Config File: /etc/snort/snort.conf
	Snort Path is: /usr/sbin/snort
	SO Output Path is: /usr/lib/snort_dynamicrules/
	SO Stub File is: /etc/snort/rules/so_rules.rules
	Verbose Flag is Set
	Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<my_oinkcode> https://www.snort.org/reg-rules/|opensource.gz|<my_oinkcode>
Checking latest MD5 for snortrules-snapshot-2950.tar.gz....
	Fetching md5sum for: snortrules-snapshot-2950.tar.gz.md5
	A 403 error occurred, please wait for the 15 minute timeout
	to expire before trying again or specify the -n runtime switch
	You may also wish to verfiy your oinkcode, tarball name, and other configuration options

On Jul 7, 2013, at 8:14 AM, Joel Esler wrote:

> Correct. 
> 
> 
> --
> Joel Esler
> Sent from my iPad
> 
> On Jul 6, 2013, at 8:51 PM, Jeremy Hoel <jthoel at ...2420...> wrote:
> 
>> 2.9.2 I believe is End Of Life  You might want to upgrade to a newer version and try again.
>> 
>> On Jul 6, 2013 5:49 PM, "Kevin Faust" <kevinfaust at ...2282...> wrote:
>> I am having trouble configuring pulledpork to download the latest subscriber rules...I am seeing the following behavior (from pulledpork.pl -v -c /etc/snort/pulledpork.conf)
>> 
>> ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz.md5/<my_oinkcode> ==> 200 OK (1s)
>> ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz/<my_oinkcode> ==> 302 Found (1s)
>> ** GET https://s3.amazonaws.com/snort-org/www/rules/20120426/snortrules-snapshot-2920.tar.gz?AWSAccessKeyId=AKIAJ65S5YX6KA26VRJQ&Expires=1373156183&Signature=rsUTCmYqQmc7BzkdhdQz84wRXrg%3D ==> 403 Forbidden
>> 
>> MISC (CLI and Autovar) Variable Debug:
>>         arch Def is: x86-64
>>         Config Path is: /etc/snort/pulledpork.conf
>>         Distro Def is: Ubuntu-10.04
>>         Disabled policy specified
>>         local.rules path is: /etc/snort/rules/local.rules
>>         Rules file is: /etc/snort/rules/snort.rules
>>         Path to disablesid file: /etc/snort/disablesid.conf
>>         Path to dropsid file: /etc/snort/dropsid.conf
>>         Path to enablesid file: /etc/snort/enablesid.conf
>>         Path to modifysid file: /etc/snort/modifysid.conf
>>         sid changes will be logged to: /var/log/sid_changes.log
>>         sid-msg.map Output Path is: /etc/snort/sid-msg.map
>>         Snort Version is: 2.9.2.0
>>         Snort Config File: /etc/snort/snort.conf
>>         Snort Path is: /usr/sbin/snort
>>         SO Output Path is: /usr/lib/snort_dynamicrules/
>>         SO Stub File is: /etc/snort/rules/so_rules.rules
>>         Verbose Flag is Set
>>         Base URL is: https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode> https://www.snort.org/sub-rules/|opensource.gz|<my_oinkcode>
>> Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
>>         Fetching md5sum for: snortrules-snapshot-2920.tar.gz.md5
>>         most recent rules file digest: d57a807b52ff2b4cebbd1d25242e6bb9
>> Rules tarball download of snortrules-snapshot-2920.tar.gz....
>>         Fetching rules file: snortrules-snapshot-2920.tar.gz
>>         A 403 error occurred, please wait for the 15 minute timeout
>>         to expire before trying again or specify the -n runtime switch
>>         You may also wish to verfiy your oinkcode, tarball name, and other configuration options
>> 
>> this occurs with either rule configuration 1 or 2 below and of course waiting 15 minutes (or 15 hours for that matter) does nothing
>> 
>> 1) rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<my_oinkcode>
>> 2) rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode>
>> 
>> but if I change to rule configuration 3 below, it works
>> 
>> 3) rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-2931.tar.gz|<my_oinkcode>
>> 
>> However, I am not sure this is the correct version for my platform (Ubuntu 12.04) and am fairly certain this is not the latest subscriber version.  BTW, how would one determine what the correct/latest version of rules are for their specific platform?
>> 
>> Any pointers are greatly appreciated.
>> 
>> Thanks,
>> 
>> Kevin
>> 
>> 
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>> 
>> Build for Windows Store.
>> 
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>> 
>> Build for Windows Store.
>> 
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130707/555ac6b7/attachment.html>


More information about the Snort-sigs mailing list