[Snort-users] [Snort-sigs] Update your oinkmaster/pulled_pork conf files

Joel Esler jesler at ...1935...
Tue Jun 29 10:19:20 EDT 2010


On Jun 29, 2010, at 10:11 AM, infosec posts wrote:
> 
> I was using this URL in my update scripts:
> 
> wget http://www.snort.org/pub-bin/oinkmaster.cgi/$oink_code/snortrules-snapshot-2853_s.tar.gz
> 
> Now I'm getting this:
> http://www.snort.org/pub-bin/oinkmaster.cgi/$oink_code/snortrules-snapshot-2853_s.tar.gz
> Resolving www.snort.org... 68.177.102.20
> Connecting to www.snort.org|68.177.102.20|:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 2010-06-29 08:46:33 ERROR 403: Forbidden.
> 
> Did the URL above get broken, too?
> 
> 
> Since that didn't work I tried:
> wget http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/$oink_code
> 
> but that redirected to an SSL connection with Amazon, which isn't open
> on my firewall from the machine in question.
> 
> 
> So,  I went to another machine and tried
> wget http://www.snort.org/reg-rules/snortrules-snapshot-2853.tar.gz/$oink_code
> wget http://www.snort.org/reg-rules/snortrules-snapshot-2853_s.tar.gz/$oink_code
> 
> Both of which are giving me 403: Forbidden.
> 
> Are the 2.8.5.3 URLs no longer supported?
> Is the "15-minute rule" being imposed by oink code now instead of connecting IP?
> Is the '_s' filename still in use to distinguish subscriber packs from
> non-subscribers?
> 
> (Note: Obviously, my actual oinkmaster code has been sanitized to
> '$oink_code' in everything above.)

There is no need for the _s anymore.

http://vrt-sourcefire.blogspot.com/2010/06/important-rule-download-change.html

I'll send this over to the web team.

Joel





More information about the Snort-users mailing list