[Snort-users] Intermittent Pulled Pork Error

Weir, Jason jason.weir at ...14916...
Thu Feb 17 08:29:43 EST 2011


Unless I'm incorrect - I'm only pulling rules when the md5 hash file has
changed... I do have PP checking every couple hours (cron) for an
updated md5.

I know that's way more often then you push updates, but it should have
no effect on the file availability...

FYI - overnight PP fetching the 2.9.0.4 rules failed half the time,
another sensor still using oinkmaster fetching the 2.8.6.1 rules worked
without error every time..

So maybe this is a PP problem???

-J

> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Wednesday, February 16, 2011 10:04 PM
> To: Weir, Jason
> Cc: Nigel Houghton; Snort Users
> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
> 
> 
> We shouldn't. We've notified the web-team. How often are you 
> trying to pull rule updates?  Just out of curiosity. 
> 
> -- 
> Sent from my iPad
> Please excuse the brevity
> 
> On Feb 16, 2011, at 4:04 PM, "Weir, Jason" 
> <jason.weir at ...14916...> wrote:
> 
> > Nigel,
> > 
> > I changed the rules file name to snortrules-snapshot-edge.tar.gz as
> > indicated below and I'm intermittently still getting the 500 error..
> > 
> > "Error 500 when fetching
> > 
> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
> > /usr/local/bin/pulledpork.pl line 390"
> > 
> > Just tried it manually and it worked fine...  You guys 
> having a delivery
> > problem?
> > 
> > -J
> > 
> >> -----Original Message-----
> >> From: Nigel Houghton [mailto:nhoughton at ...1935...] 
> >> Sent: Wednesday, February 16, 2011 1:38 PM
> >> To: Weir, Jason
> >> Cc: Snort Users
> >> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
> >> 
> >> 
> >> On Wed, 16 Feb 2011 13:32:45 -0500, Nigel Houghton wrote:
> >>> On Wed, 16 Feb 2011 13:05:09 -0500, Weir, Jason wrote:
> >>>> Doesn't happen all of the time...
> >>>> 
> >>>> Error 500 when fetching
> >>>> 
> >> 
> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
> >>>> /usr/local/bin/pulledpork.pl line 390
> >>>> 
> >>>> -J
> >>> 
> >>> That's not a PulledPork error, that's a website error. The 
> >> file isn't 
> >>> there, which strictly speaking shouldn't be a 500 server 
> error, but 
> >>> since the application that handles looking for the file 
> >> can't find it, 
> >>> the server will return the application error instead of a 
> >> 404 not found.
> >>> 
> >>> With that said, I'll forward this to our Snort web team for 
> >>> investigation.
> >> 
> >> Actually, no I won't. After looking at snort.org I see that 
> >> the 2.9.0.4 
> >> rule set is not yet available for registered users. So, 
> you'll get a 
> >> 404 (or 500) for the rules file too.
> >> 
> >> You can fix this for future use by using 
> >> snortrules-snapshot-edge.tar.gz as the name of your rules 
> file. That 
> >> way, you will get the latest version of rules for either 
> >> registered or 
> >> subscriber rules automatically. Right now, for registered 
> users this 
> >> will be a 2.9.0.3 rule set. Which should work with 2.9.0.4.
> >> 
> >> Now, per the rules of the drinking game, I will be taking a 
> >> shot or two 
> >> for replying to my own email.
> >> 
> >> --
> >> Nigel Houghton
> >> Head Mentalist
> >> SF VRT Department of Intelligence Excellence
> >> http://vrt-blog.snort.org/ && http://labs.snort.org/


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Snort-users mailing list