[Snort-sigs] md5 on snort rules not matching (oinkmaster)

Joel Esler (jesler) jesler at ...3865...
Mon Sep 19 12:18:26 EDT 2016


You should get a tarball.

The rules are inside the tarball.  I recommend you use PulledPork to deal with these tarballs, and not use oink master.

--
Joel Esler
Manager
Talos Group
http://www.talosintelligence.com


On Sep 19, 2016, at 12:13 PM, Lesley Leposo <leposo at ...4180...<mailto:leposo at ...4180...>> wrote:

Hi Joel,

indeed, I have a free Snort account, with an oinkcode. Here are my issues:

1) I’m still unable to download valid registered snort rules after appending ?oinkcode=<my oinkcode> to the paths
All I get is what appears to be a tarbomb
are these registered snortrules only available to paying users?

2) the community rules, as per the website, do not require the oinkcode.  nevertheless, i can’t get them to load using oinkmaster.
All I get is what appears to be a tarbomb

$ oinkmaster.pl  -o /usr/local/etc/snort/rules/ -c -v -C /usr/local/etc/oinkmaster.conf
Loading /usr/local/etc/oinkmaster.conf
Adding file to ignore list: local.rules.
Adding file to ignore list: deleted.rules.
Adding file to ignore list: snort.conf.
Found gzip binary in /usr/bin
Found tar binary in /usr/bin
Downloading file from https://snort.org/downloads/community/community-rules.tar.gz...
--2016-09-19 19:00:52--  https://snort.org/downloads/community/community-rules.tar.gz
Resolving snort.org<http://snort.org/> (snort.org<http://snort.org/>)... 104.16.64.75, 104.16.62.75, 104.16.65.75, ...
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|104.16.64.75|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/359/original/community-rules.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1474304627&Signature=YzChzO7uroWQ9klpBdowaOA5Fxw%3D [following]
--2016-09-19 19:00:53--  https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/359/original/community-rules.tar.gz?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1474304627&Signature=YzChzO7uroWQ9klpBdowaOA5Fxw%3D
Resolving s3.amazonaws.com<http://s3.amazonaws.com/> (s3.amazonaws.com<http://s3.amazonaws.com/>)... 52.216.0.251
Connecting to s3.amazonaws.com<http://s3.amazonaws.com/> (s3.amazonaws.com<http://s3.amazonaws.com/>)|52.216.0.251|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 277589 (271K) [application/x-tar]
Saving to: '/var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster.AfQRlVaiDm/url.CETsIphUhf/snortrules.tar.gz'

/var/folders/6y/kwwww__d14q6w0h8th05vhrw000 100%[========================================================================================>] 271.08K   161KB/s    in 1.7s

2016-09-19 19:00:56 (161 KB/s) - '/var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster.AfQRlVaiDm/url.CETsIphUhf/snortrules.tar.gz' saved [277589/277589]

Archive successfully downloaded, unpacking...
/opt/local/bin/oinkmaster.pl: Error: https://snort.org/downloads/community/community-rules.tar.gz: no "rules" directory found in tar file.


On 19 Sep 2016, at 6:54 PM, Joel Esler (jesler) <jesler at ...3865...<mailto:jesler at ...3865...>> wrote:

That’s not the link to the Registered ruleset.  In order to access the Registered ruleset, you must have an account on Snort.org<http://snort.org/>, and utilize your oinkcode to download the ruleset via oinkmaster.

https://snort.org/oinkcodes

--
Joel Esler
Manager
Talos Group
http://www.talosintelligence.com<http://www.talosintelligence.com/>


On Sep 19, 2016, at 9:25 AM, Lesley Leposo <leposo at ...4180...<mailto:leposo at ...4180...>> wrote:


Hello,

kindly let me know what’s going on.
I’ve downloaded the following urls and the md5s are consistently not matching.
Also it would seem that the snapshots are all pointing to the same file

Any pointers?

Here are the oinkmaster urls
url = https://snort.org/downloads/registered/snortrules-snapshot-2976.tar.gz
url = https://snort.org/downloads/registered/snortrules-snapshot-2982.tar.gz
url = https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz
url = https://snort.org/downloads/community/community-rules.tar.gz

Here is the oinkmaster output depicting the error

$ oinkmaster.pl  -o /usr/local/etc/snort/rules/ -c -v -C /usr/local/etc/oinkmaster.conf
Loading /usr/local/etc/oinkmaster.conf
Adding file to ignore list: local.rules.
Adding file to ignore list: deleted.rules.
Adding file to ignore list: snort.conf.
Found gzip binary in /usr/bin
Found tar binary in /usr/bin
Downloading file from https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz...
--2016-09-19 14:18:14--  https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz
Resolving snort.org<http://snort.org/> (snort.org<http://snort.org/>)... 104.16.66.75, 104.16.63.75, 104.16.62.75, ...
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|104.16.66.75|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://snort.org/ [following]
--2016-09-19 14:18:15--  https://snort.org/
Reusing existing connection to snort.org<http://snort.org/>:443.
HTTP request sent, awaiting response... 200 OK
Length: 43611 (43K) [text/html]
Saving to: '/var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster._sKOOq69Mu/url.DzhKeDdaib/snortrules.tar.gz'

/var/folders/6y/kwwww__d14q6w0h8th05vhrw000 100%[========================================================================================>]  42.59K  77.6KB/s    in 0.5s

2016-09-19 14:18:16 (77.6 KB/s) - '/var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster._sKOOq69Mu/url.DzhKeDdaib/snortrules.tar.gz' saved [43611/43611]

gzip: /var/folders/6y/kwwww__d14q6w0h8th05vhrw0000gp/T/oinkmaster._sKOOq69Mu/url.DzhKeDdaib/snortrules.tar.gz: not in gzip format

/opt/local/bin/oinkmaster.pl: Error: https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz: integrity check on gzip file failed (file transfer failed or file in URL not in gzip format?).

Oink, oink. Exiting...


here are the isolated downloads and md5s
$ curl https://snort.org/downloads/registered/snortrules-snapshot-2976.tar.gz -o /tmp/snortrules-snapshot-2976.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    84    0    84    0     0     55      0 --:--:--  0:00:01 --:--:--    55
p

$ curl https://snort.org/downloads/registered/snortrules-snapshot-2982.tar.gz -o /tmp/snortrules-snapshot-2982.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    84    0    84    0     0     56      0 --:--:--  0:00:01 --:--:--    56
$ curl https://snort.org/downloads/registered/snortrules-snapshot-2983.tar.gz -o /tmp/snortrules-snapshot-2983.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    84    0    84    0     0     51      0 --:--:--  0:00:01 --:--:--    51
$ curl https://snort.org/downloads/community/community-rules.tar.gz -o /tmp/community-rules.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   286    0   286    0     0    143      0 --:--:--  0:00:01 --:--:--   143

$ md5 /tmp/snortrules-snapshot-2976.tar.gz
MD5 (/tmp/snortrules-snapshot-2976.tar.gz) = fece3271d650c597ffb3b8369cb893ed
$ md5 /tmp/snortrules-snapshot-2982.tar.gz
MD5 (/tmp/snortrules-snapshot-2982.tar.gz) = fece3271d650c597ffb3b8369cb893ed
$ md5 /tmp/snortrules-snapshot-2983.tar.gz
MD5 (/tmp/snortrules-snapshot-2983.tar.gz) = fece3271d650c597ffb3b8369cb893ed
$ md5 /tmp/community-rules.tar.gz
MD5 (/tmp/community-rules.tar.gz) = 821af6faea07c9b0f40f72dfb661f990
------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org<http://www.snort.org/>


Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160919/af14f31a/attachment.html>


More information about the Snort-sigs mailing list