[Snort-users] rule download problem

Crook, Parker Parker_Crook at ...14786...
Tue Jun 29 11:57:19 EDT 2010


JJ,



I tried again and ran a snort -dev in the background and noticed:

...

https://s3.amazonaws.com/snort.org/rules/20100525/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=

...<concatenated>...

<html><body>You are being <a href="https://s3.amazonaws.com/snort.org/rules/20100525/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId=<concatenated>">redirected</a>.</body></html>



So, looks like I'm just one of the ones getting sent to the old backend.



-Parker



P.S. Sorry for pointing in your direction.  It's nice to see that you continue to turn out updated code so quickly, thanks.



  _____

From: JJC [mailto:cummingsj at ...11827...]
Sent: Tuesday, June 29, 2010 11:37 AM
To: Crook, Parker
Cc: John York; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] rule download problem



Parker,



I'll look into it.. of course I can't reproduce the issue.  Are you doing any type of egress filtering / blocking of sites etc?



JJC

On Tue, Jun 29, 2010 at 9:35 AM, Crook, Parker <Parker_Crook at ...14786...<mailto:Parker_Crook at ...14786...>> wrote:

JJ,



I've waited the morning out to see if this would clear up, but I've been ping-ponging back and forth between 501 and 403 errors when using the Pulled Pork svn to try and download the new rules.  Below is the verbose output... any words of advice here?



snort-lab:/etc/snort/pulledpork# ./pulledpork.pl<http://pulledpork.pl> -c etc/pulledpork.conf -vv



    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    Pulled_Pork v0.4.2

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings

  @_/        /  66\_  cummingsj at ...11827...<mailto:cummingsj at ...11827...>

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Variable Debug:

        Config Path is: etc/pulledpork.conf

        Verbose Flag is Set

        Extra Verbose Flag is Set

Config File Variable Debug etc/pulledpork.conf

        snort_path = /usr/local/bin/snort

        pid_path = /var/run/snort_eth0.pid

        rule_path = /etc/snort/rules/snort.rules

        ignore = deleted,experimental,local

        rule_file = snortrules-snapshot-2860.tar.gz

        sid_changelog = /var/log/sid_changes.log

        sid_msg = /etc/snort/sid-msg.map

        config_path = /etc/snort/snort.conf

        sostub_path = /etc/snort/rules/so_rules.rules

        oinkcode = <oinkcode obfuscated>

        temp_path = /tmp

        distro = Debian-Lenny

        base_url = http://www.snort.org/

        sorule_path = /usr/local/lib/snort_dynamicrules/

        version = 0.4.2

        disablesid = /usr/local/etc/snort/disablesid.conf

        local_rules = /etc/snort/rules/local.rules

Checking latest MD5....

        Fetching md5sum for: snortrules-snapshot-2860.tar.gz.md5

        most recent rules file digest: b3cb777fac21999675e8cf5696865fa5

        current local rules file  digest: 4a7877208481756881a66f7cadcff98b

        The MD5 for snortrules-snapshot-2860.tar.gz did not match the latest digest... so I am gonna fetch the latest rules file!

Rules tarball download....

        Fetching rules file: snortrules-snapshot-2860.tar.gz

        Error 501 when fetching snortrules-snapshot-2860.tar.gz at ./pulledpork.pl<http://pulledpork.pl> line 262.



-Parker

  _____

From: JJC [mailto:cummingsj at ...11827...<mailto:cummingsj at ...11827...>]
Sent: Tuesday, June 29, 2010 10:32 AM
To: John York
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] rule download problem



The rule download location has changed, you will want to get the latest version of pulledpork from svn (0.4.2) or wait until the tarball is released shortly.



JJC

On Tue, Jun 29, 2010 at 7:25 AM, John York <YorkJ at ...7109...<mailto:YorkJ at ...843.....7109...>> wrote:

I've been using PulledPork (v 0.4.1 Stumbling Leprechaun) to get my rules, but in the last week or so it has started giving this error:
Error 403 when fetching http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2860_s.tar.gz.md5 at /home/xxxx/snortrules/pulledpork/pulledpork.pl<http://pulledpork.pl> line 306

It does this even if I wait several hours between attempts, so I don't think the 15 min limit is involved.

These are the applicable lines from the conf file:
base_url=http://www.snort.org/pub-bin/oinkmaster.cgi
rule_file=snortrules-snapshot-2860_s.tar.gz

My subscription is up to date--I can log in to the web site and download the rules ok.  Any ideas?

Thanks
John


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first<http://sprint.com/first> -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100629/d15f46cf/attachment.html>


More information about the Snort-users mailing list