[Snort-users] rule download problem

JJ Cummings cummingsj at ...11827...
Fri Jul 2 12:19:28 EDT 2010


Unfortunately with 0.4.2 you do, however the version that is currently committed to svn does not.

With 0.4.2 you want two configs, one pointed at the rules file created by the first run as a "local" rules file for inclusion in sid-msg.map and all created rules files included in snort.conf

Sent from the iRoad

On Jul 2, 2010, at 10:05, "Jefferson, Shawn" <Shawn.Jefferson at ...14448...> wrote:

> Thanks for this, that worked perfectly.
> 
>  
> 
> Do you need a separate pulledpork.conf to download the ET ruleset as well as the Snort one?
> 
>  
> 
> From: JJC [mailto:cummingsj at ...11827...] 
> Sent: Thursday, July 01, 2010 10:28 AM
> To: Jefferson, Shawn
> Cc: Joel Esler; Crook, Parker; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] rule download problem
> 
>  
> 
> Ok, this seems to be an issue that stems from the fact that this version of Ubuntu does not have some required perl modules (even though if installed from CPAN they are dependencies)  The short of it is that you need Crypt::SSLeay and for whatever reason the maintainers did not include this dependency... but I'm not gonna get into that discussion today.  The following will fix the problem in Ubuntu.
> 
>  
> 
> apt-get install libcrypt-ssleay-perl 
> 
>  
> 
> Other required modules, if you don't have them (from the repos, not CPAN) are: 
> 
>  
> 
> libwww-perl
> 
> libarchive-tar-perl  (Archive::Tar)
> 
> And of course you also need to be sure that all of your root certs are up to date (I know that this has been covered, but I am covering again for the sake of completeness:
> 
>  
> 
> sudo apt-get install ca-certificates
> 
> sudo update-ca-certificates
> 
>  
> 
> That should just about cover it.. all of the reports were from Ubuntu 8x x66_64 and so fourth... 
> 
>  
> 
> JJC
> 
>  
> 
> On Wed, Jun 30, 2010 at 5:39 PM, Jefferson, Shawn <Shawn.Jefferson at ...14545...48...> wrote:
> 
> Hi,
> 
>  
> 
> No, this is a new installation.  I am using Oinkmaster but thought this might be a good opportunity to upgrade to pulled pork.  A packet capture shows the download of the md5 working properly, but the download of the rules file gets a 302 redirect, and then nothing else.  Pulled Pork doesn’t follow the redirect maybe?
> 
>  
> 
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Wednesday, June 30, 2010 4:36 PM
> To: Jefferson, Shawn
> Cc: Crook, Parker; snort-users at lists.sourceforge.net
> 
> 
> Subject: Re: [Snort-users] rule download problem
> 
>  
> 
> Are you using the pulledpork.conf file from your old pulledpork installation?
> 
>  
> 
> Can't do that.
> 
>  
> 
>  
> 
> On Jun 30, 2010, at 7:31 PM, Jefferson, Shawn wrote:
> 
>  
> 
> What was the solution to this? I’m trying to setup Pulled Pork using the new download location and am getting the same error (501) when trying to download the tar.gz file.
> 
>  
> 
> Checking latest MD5....
> 
>         Fetching md5sum for: snortrules-snapshot-2853.tar.gz.md5
> 
>         most recent rules file digest: aa012e45a5756acabb0e8c31e862f336
> 
> Rules tarball download....
> 
>         Fetching rules file: snortrules-snapshot-2853.tar.gz
> 
>         Error 501 when fetching snortrules-snapshot-2853.tar.gz at ./pulledpork.pl line 261.
> 
>  
> 
> Do I have the right settings?
> 
>  
> 
>         rule_file = snortrules-snapshot-2853.tar.gz
> 
>         base_url = http://www.snort.org/sub-rules
> 
>         version = 0.4.2
> 
>  
> 
>  
> 
>  
> 
> From: Crook, Parker [mailto:Parker_Crook at ...14786...] 
> Sent: Tuesday, June 29, 2010 8:35 AM
> To: 'JJC'; John York
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] rule download problem
> 
>  
> 
> JJ,
> 
>  
> 
> I’ve waited the morning out to see if this would clear up, but I’ve been ping-ponging back and forth between 501 and 403 errors when using the Pulled Pork svn to try and download the new rules.  Below is the verbose output… any words of advice here?
> 
>  
> 
> snort-lab:/etc/snort/pulledpork# ./pulledpork.pl -c etc/pulledpork.conf -vv
> 
>  
> 
>     http://code.google.com/p/pulledpork/
> 
>       _____ ____
> 
>      `----,\    )
> 
>       `--==\\  /    Pulled_Pork v0.4.2
> 
>        `--==\\/
> 
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
> 
>   @_/        /  66\_  cummingsj at ...11827...
> 
>     |    \   \   _(")
> 
>      \   /-| ||'--'  Rules give me wings!
> 
>       \_\  \_\\
> 
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>  
> 
> Command Line Variable Debug:
> 
>         Config Path is: etc/pulledpork.conf
> 
>         Verbose Flag is Set
> 
>         Extra Verbose Flag is Set
> 
> Config File Variable Debug etc/pulledpork.conf
> 
>         snort_path = /usr/local/bin/snort
> 
>         pid_path = /var/run/snort_eth0.pid
> 
>         rule_path = /etc/snort/rules/snort.rules
> 
>         ignore = deleted,experimental,local
> 
>         rule_file = snortrules-snapshot-2860.tar.gz
> 
>         sid_changelog = /var/log/sid_changes.log
> 
>         sid_msg = /etc/snort/sid-msg.map
> 
>         config_path = /etc/snort/snort.conf
> 
>         sostub_path = /etc/snort/rules/so_rules.rules
> 
>         oinkcode = <oinkcode obfuscated>
> 
>         temp_path = /tmp
> 
>         distro = Debian-Lenny
> 
>         base_url = http://www.snort.org/
> 
>         sorule_path = /usr/local/lib/snort_dynamicrules/
> 
>         version = 0.4.2
> 
>         disablesid = /usr/local/etc/snort/disablesid.conf
> 
>         local_rules = /etc/snort/rules/local.rules
> 
> Checking latest MD5....
> 
>         Fetching md5sum for: snortrules-snapshot-2860.tar.gz.md5
> 
>         most recent rules file digest: b3cb777fac21999675e8cf5696865fa5
> 
>         current local rules file  digest: 4a7877208481756881a66f7cadcff98b
> 
>         The MD5 for snortrules-snapshot-2860.tar.gz did not match the latest digest... so I am gonna fetch the latest rules file!
> 
> Rules tarball download....
> 
>         Fetching rules file: snortrules-snapshot-2860.tar.gz
> 
>         Error 501 when fetching snortrules-snapshot-2860.tar.gz at ./pulledpork.pl line 262.
> 
>  
> 
> -Parker
> 
> From: JJC [mailto:cummingsj at ...11827...] 
> Sent: Tuesday, June 29, 2010 10:32 AM
> To: John York
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] rule download problem
> 
>  
> 
> The rule download location has changed, you will want to get the latest version of pulledpork from svn (0.4.2) or wait until the tarball is released shortly.
> 
>  
> 
> JJC
> 
> On Tue, Jun 29, 2010 at 7:25 AM, John York <YorkJ at ...7109...> wrote:
> 
> I've been using PulledPork (v 0.4.1 Stumbling Leprechaun) to get my rules, but in the last week or so it has started giving this error:
> Error 403 when fetching http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2860_s.tar.gz.md5 at /home/xxxx/snortrules/pulledpork/pulledpork.pl line 306
> 
> It does this even if I wait several hours between attempts, so I don't think the 15 min limit is involved.
> 
> These are the applicable lines from the conf file:
> base_url=http://www.snort.org/pub-bin/oinkmaster.cgi
> rule_file=snortrules-snapshot-2860_s.tar.gz
> 
> My subscription is up to date--I can log in to the web site and download the rules ok.  Any ideas?
> 
> Thanks
> John
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
>  
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
>  
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100702/bc4d8b86/attachment.html>


More information about the Snort-users mailing list