<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div>Built (and upgraded to Snort 2.9.5) and still have basically the same problem accessing the correct ruleset (log below)<div><br></div><div>Thoughts?</div><div><br></div><div><br><div><br></div><div><div>root@...3826...:~# pulledpork.pl -v -c /etc/snort/pulledpork.conf  | tee PPLOG10</div><div><br></div><div>    <a href="http://code.google.com/p/pulledpork/">http://code.google.com/p/pulledpork/</a></div><div>      _____ ____</div><div>     `----,\    )</div><div>      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~</div><div>       `--==\\/</div><div>     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings</div><div>  @_/        /  66\_  <a href="mailto:cummingsj@...2420...">cummingsj@...2420...</a></div><div>    |    \   \   _(")</div><div>     \   /-| ||'--'  Rules give me wings!</div><div>      \_\  \_\\</div><div> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</div><div><br></div><div>Config File Variable Debug /etc/snort/pulledpork.conf</div><div><span class="Apple-tab-span" style="white-space: pre; ">   </span>snort_path = /usr/sbin/snort</div><div><span class="Apple-tab-span" style="white-space: pre; ">      </span>enablesid = /etc/snort/enablesid.conf</div><div><span class="Apple-tab-span" style="white-space: pre; ">     </span>modifysid = /etc/snort/modifysid.conf</div><div><span class="Apple-tab-span" style="white-space: pre; ">     </span>pid_path = /var/run/snort_eth0.pid</div><div><span class="Apple-tab-span" style="white-space: pre; ">        </span>rule_path = /etc/snort/rules/snort.rules</div><div><span class="Apple-tab-span" style="white-space: pre; ">  </span>ignore = deleted.rules,experimental.rules,local.rules</div><div><span class="Apple-tab-span" style="white-space: pre; ">     </span>rule_url = ARRAY(0x15bc3a8)</div><div><span class="Apple-tab-span" style="white-space: pre; ">       </span>sid_changelog = /var/log/sid_changes.log</div><div><span class="Apple-tab-span" style="white-space: pre; ">  </span>sid_msg = /etc/snort/sid-msg.map</div><div><span class="Apple-tab-span" style="white-space: pre; ">  </span>config_path = /etc/snort/snort.conf</div><div><span class="Apple-tab-span" style="white-space: pre; ">       </span>sostub_path = /etc/snort/rules/so_rules.rules</div><div><span class="Apple-tab-span" style="white-space: pre; ">     </span>temp_path = /tmp</div><div><span class="Apple-tab-span" style="white-space: pre; ">  </span>distro = Ubuntu-12.04</div><div><span class="Apple-tab-span" style="white-space: pre; ">     </span>version = 0.6.0</div><div><span class="Apple-tab-span" style="white-space: pre; ">   </span>sorule_path = /usr/lib/snort_dynamicrules/</div><div><span class="Apple-tab-span" style="white-space: pre; ">        </span>disablesid = /etc/snort/disablesid.conf</div><div><span class="Apple-tab-span" style="white-space: pre; ">   </span>dropsid = /etc/snort/dropsid.conf</div><div><span class="Apple-tab-span" style="white-space: pre; "> </span>local_rules = /etc/snort/rules/local.rules</div><div>** GET <a href="https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5/%3Cmy_oinkcode%3E">https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5/<my_oinkcode></a> ==> 403 Forbidden</div><div><span class="Apple-tab-span" style="white-space: pre; ">  </span>Error 403 when fetching <a href="https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5">https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5</a> at /usr/local/bin/pulledpork.pl line 453</div><div><span class="Apple-tab-span" style="white-space: pre; ">    </span>main::md5file('<my_oinkcode>', 'snortrules-snapshot-2950.tar.gz', '/tmp/', '<a href="https://www.snort.org/reg-rules/'">https://www.snort.org/reg-rules/'</a>) called at /usr/local/bin/pulledpork.pl line 1758</div><div>MISC (CLI and Autovar) Variable Debug:</div><div><span class="Apple-tab-span" style="white-space: pre; ">  </span>arch Def is: x86-64</div><div><span class="Apple-tab-span" style="white-space: pre; ">       </span>Config Path is: /etc/snort/pulledpork.conf</div><div><span class="Apple-tab-span" style="white-space: pre; ">        </span>Distro Def is: Ubuntu-12.04</div><div><span class="Apple-tab-span" style="white-space: pre; ">       </span>Disabled policy specified</div><div><span class="Apple-tab-span" style="white-space: pre; "> </span>local.rules path is: /etc/snort/rules/local.rules</div><div><span class="Apple-tab-span" style="white-space: pre; "> </span>Rules file is: /etc/snort/rules/snort.rules</div><div><span class="Apple-tab-span" style="white-space: pre; ">       </span>Path to disablesid file: /etc/snort/disablesid.conf</div><div><span class="Apple-tab-span" style="white-space: pre; ">       </span>Path to dropsid file: /etc/snort/dropsid.conf</div><div><span class="Apple-tab-span" style="white-space: pre; ">     </span>Path to enablesid file: /etc/snort/enablesid.conf</div><div><span class="Apple-tab-span" style="white-space: pre; "> </span>Path to modifysid file: /etc/snort/modifysid.conf</div><div><span class="Apple-tab-span" style="white-space: pre; "> </span>sid changes will be logged to: /var/log/sid_changes.log</div><div><span class="Apple-tab-span" style="white-space: pre; ">   </span>sid-msg.map Output Path is: /etc/snort/sid-msg.map</div><div><span class="Apple-tab-span" style="white-space: pre; ">        </span>Snort Version is: 2.9.5.0</div><div><span class="Apple-tab-span" style="white-space: pre; "> </span>Snort Config File: /etc/snort/snort.conf</div><div><span class="Apple-tab-span" style="white-space: pre; ">  </span>Snort Path is: /usr/sbin/snort</div><div><span class="Apple-tab-span" style="white-space: pre; ">    </span>SO Output Path is: /usr/lib/snort_dynamicrules/</div><div><span class="Apple-tab-span" style="white-space: pre; ">   </span>SO Stub File is: /etc/snort/rules/so_rules.rules</div><div><span class="Apple-tab-span" style="white-space: pre; ">  </span>Verbose Flag is Set</div><div><span class="Apple-tab-span" style="white-space: pre; ">       </span>Base URL is: <a href="https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|%3Cmy_oinkcode%3E">https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<my_oinkcode></a> <a href="https://www.snort.org/reg-rules/|opensource.gz|%3Cmy_oinkcode%3E">https://www.snort.org/reg-rules/|opensource.gz|<my_oinkcode></a></div><div>Checking latest MD5 for snortrules-snapshot-2950.tar.gz....</div><div><span class="Apple-tab-span" style="white-space: pre; ">        </span>Fetching md5sum for: snortrules-snapshot-2950.tar.gz.md5</div><div><span class="Apple-tab-span" style="white-space: pre; ">  </span>A 403 error occurred, please wait for the 15 minute timeout</div><div><span class="Apple-tab-span" style="white-space: pre; ">       </span>to expire before trying again or specify the -n runtime switch</div><div><span class="Apple-tab-span" style="white-space: pre; ">    </span>You may also wish to verfiy your oinkcode, tarball name, and other configuration options</div></div></div><div><br></div><div><div>On Jul 7, 2013, at 8:14 AM, Joel Esler wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="content-type" content="text/html; charset=utf-8"><div dir="auto"><div>Correct. <br><br><div><br></div>--<div>Joel Esler</div><div>Sent from my iPad</div></div><div><br>On Jul 6, 2013, at 8:51 PM, Jeremy Hoel <<a href="mailto:jthoel@...2420...">jthoel@...2420...</a>> wrote:<br><br></div><blockquote type="cite"><div><p dir="ltr">2.9.2 I believe is End Of Life  You might want to upgrade to a newer version and try again. </p>
<div class="gmail_quote">On Jul 6, 2013 5:49 PM, "Kevin Faust" <<a href="mailto:kevinfaust@...2282...">kevinfaust@...2282...</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am having trouble configuring pulledpork to download the latest subscriber rules...I am seeing the following behavior (from <a href="http://pulledpork.pl/" target="_blank">pulledpork.pl</a> -v -c /etc/snort/pulledpork.conf)<br>

<br>
** GET <a href="https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz.md5/" target="_blank">https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz.md5/</a><my_oinkcode> ==> 200 OK (1s)<br>
** GET <a href="https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz/" target="_blank">https://www.snort.org/reg-rules/snortrules-snapshot-2920.tar.gz/</a><my_oinkcode> ==> 302 Found (1s)<br>
** GET <a href="https://s3.amazonaws.com/snort-org/www/rules/20120426/snortrules-snapshot-2920.tar.gz?AWSAccessKeyId=AKIAJ65S5YX6KA26VRJQ&Expires=1373156183&Signature=rsUTCmYqQmc7BzkdhdQz84wRXrg%3D" target="_blank">https://s3.amazonaws.com/snort-org/www/rules/20120426/snortrules-snapshot-2920.tar.gz?AWSAccessKeyId=AKIAJ65S5YX6KA26VRJQ&Expires=1373156183&Signature=rsUTCmYqQmc7BzkdhdQz84wRXrg%3D</a> ==> 403 Forbidden<br>

<br>
MISC (CLI and Autovar) Variable Debug:<br>
        arch Def is: x86-64<br>
        Config Path is: /etc/snort/pulledpork.conf<br>
        Distro Def is: Ubuntu-10.04<br>
        Disabled policy specified<br>
        local.rules path is: /etc/snort/rules/local.rules<br>
        Rules file is: /etc/snort/rules/snort.rules<br>
        Path to disablesid file: /etc/snort/disablesid.conf<br>
        Path to dropsid file: /etc/snort/dropsid.conf<br>
        Path to enablesid file: /etc/snort/enablesid.conf<br>
        Path to modifysid file: /etc/snort/modifysid.conf<br>
        sid changes will be logged to: /var/log/sid_changes.log<br>
        sid-msg.map Output Path is: /etc/snort/sid-msg.map<br>
        Snort Version is: 2.9.2.0<br>
        Snort Config File: /etc/snort/snort.conf<br>
        Snort Path is: /usr/sbin/snort<br>
        SO Output Path is: /usr/lib/snort_dynamicrules/<br>
        SO Stub File is: /etc/snort/rules/so_rules.rules<br>
        Verbose Flag is Set<br>
        Base URL is: <a href="https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|" target="_blank">https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|</a><my_oinkcode> <a href="https://www.snort.org/sub-rules/|opensource.gz|" target="_blank">https://www.snort.org/sub-rules/|opensource.gz|</a><my_oinkcode><br>

Checking latest MD5 for snortrules-snapshot-2920.tar.gz....<br>
        Fetching md5sum for: snortrules-snapshot-2920.tar.gz.md5<br>
        most recent rules file digest: d57a807b52ff2b4cebbd1d25242e6bb9<br>
Rules tarball download of snortrules-snapshot-2920.tar.gz....<br>
        Fetching rules file: snortrules-snapshot-2920.tar.gz<br>
        A 403 error occurred, please wait for the 15 minute timeout<br>
        to expire before trying again or specify the -n runtime switch<br>
        You may also wish to verfiy your oinkcode, tarball name, and other configuration options<br>
<br>
this occurs with either rule configuration 1 or 2 below and of course waiting 15 minutes (or 15 hours for that matter) does nothing<br>
<br>
1) rule_url=<a href="https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|" target="_blank">https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|</a><my_oinkcode><br>
2) rule_url=<a href="https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|" target="_blank">https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|</a><my_oinkcode><br>
<br>
but if I change to rule configuration 3 below, it works<br>
<br>
3) rule_url=<a href="https://www.snort.org/reg-rules/|snortrules-snapshot-2931.tar.gz|" target="_blank">https://www.snort.org/reg-rules/|snortrules-snapshot-2931.tar.gz|</a><my_oinkcode><br>
<br>
However, I am not sure this is the correct version for my platform (Ubuntu 12.04) and am fairly certain this is not the latest subscriber version.  BTW, how would one determine what the correct/latest version of rules are for their specific platform?<br>

<br>
Any pointers are greatly appreciated.<br>
<br>
Thanks,<br>
<br>
Kevin<br>
<br>
<br>
------------------------------------------------------------------------------<br>
This <a href="http://SF.net/">SF.net</a> email is sponsored by Windows:<br>
<br>
Build for Windows Store.<br>
<br>
<a href="http://p.sf.net/sfu/windows-dev2dev" target="_blank">http://p.sf.net/sfu/windows-dev2dev</a><br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...639...forge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org/" target="_blank">http://www.snort.org</a><br>
<br>
<br>
Please visit <a href="http://blog.snort.org/" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
</blockquote></div>
</div></blockquote><blockquote type="cite"><div><span>------------------------------------------------------------------------------</span><br><span>This <a href="http://SF.net/">SF.net</a> email is sponsored by Windows:</span><br><span></span><br><span>Build for Windows Store.</span><br><span></span><br><span><a href="http://p.sf.net/sfu/windows-dev2dev">http://p.sf.net/sfu/windows-dev2dev</a></span></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Snort-sigs mailing list</span><br><span><a href="mailto:Snort-sigs@...184...ists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a></span><br><span><a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a></span><br><span><a href="http://www.snort.org/">http://www.snort.org</a></span><br><span></span><br><span></span><br><span>Please visit <a href="http://blog.snort.org/">http://blog.snort.org</a> for the latest news about Snort!</span></div></blockquote></div></blockquote></div><br></body></html>