[Snort-users] [Snort-sigs] Update your oinkmaster/pulled_pork conf files

infosec posts infosec.posts at ...11827...
Tue Jun 29 10:11:38 EDT 2010

I was using this URL in my update scripts:

wget http://www.snort.org/pub-bin/oinkmaster.cgi/$oink_code/snortrules-snapshot-2853_s.tar.gz

Now I'm getting this:
Resolving www.snort.org...
Connecting to www.snort.org||:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2010-06-29 08:46:33 ERROR 403: Forbidden.

Did the URL above get broken, too?

Since that didn't work I tried:
wget http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/$oink_code

but that redirected to an SSL connection with Amazon, which isn't open
on my firewall from the machine in question.

So,  I went to another machine and tried
wget http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/$oink_code
wget http://www.snort.org/reg-rules/snortrules-snapshot-2853_s.tar.gz/$oink_code

Both of which are giving me 403: Forbidden.

Are the URLs no longer supported?
Is the "15-minute rule" being imposed by oink code now instead of connecting IP?
Is the '_s' filename still in use to distinguish subscriber packs from

(Note: Obviously, my actual oinkmaster code has been sanitized to
'$oink_code' in everything above.)

On Mon, Jun 28, 2010 at 3:31 PM, Mike Guiterman
<mguiterman at ...1935...> wrote:
> Hi everyone,
> This afternoon's upgrade of Snort.org is complete.  One of the issues
> addressed was improving the reliability of the VRT rules download process.
> Over the past few months we've seen an increase in reports about failed
> downloads.  Today's upgrade should resolve the problem.
> This change does affect users who have automated their rules update
> process.  The download URL used oinkmaster and pulled_pork conf files has
> changed.  The new URL has been updated on the "oinkcodes" page on
> Snort.org.  An example of the change is below:
> Old download URL
>  http://dl.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz?oink_code=<OINKCODE>
> Is now.
>  http://www.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz/<OINKCODE>
> To continue receiving automated rules updates please update your conf. file
> with the new URL.
> Our apologies for the inconvenience.
> Regards,
> Mike
> --
> Mike Guiterman
> Snort Community Manager
> Sourcefire, Inc.
> mguiterman at ...1935...
> 410.423.1930 (office)
> 703.400.4091 (mobile)
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-users mailing list