[Snort-users] Intermittent Pulled Pork Error

Joel Esler jesler at ...1935...
Thu Feb 17 10:28:32 EST 2011


I'll let JJ address the PP area,

However, you are correct.  That's one of the advantages of PulledPork is that it checks the md5 to see if there is a different in the ruleset before an attempted download.

My reason for asking is because we generally only release rules, probably twice a week.  (sometimes more, depending on what's going on)

Joel

On Feb 17, 2011, at 8:29 AM, Weir, Jason wrote:

> Unless I'm incorrect - I'm only pulling rules when the md5 hash file has
> changed... I do have PP checking every couple hours (cron) for an
> updated md5.
> 
> I know that's way more often then you push updates, but it should have
> no effect on the file availability...
> 
> FYI - overnight PP fetching the 2.9.0.4 rules failed half the time,
> another sensor still using oinkmaster fetching the 2.8.6.1 rules worked
> without error every time..
> 
> So maybe this is a PP problem???
> 
> -J
> 
>> -----Original Message-----
>> From: Joel Esler [mailto:jesler at ...1935...] 
>> Sent: Wednesday, February 16, 2011 10:04 PM
>> To: Weir, Jason
>> Cc: Nigel Houghton; Snort Users
>> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
>> 
>> 
>> We shouldn't. We've notified the web-team. How often are you 
>> trying to pull rule updates?  Just out of curiosity. 
>> 
>> -- 
>> Sent from my iPad
>> Please excuse the brevity
>> 
>> On Feb 16, 2011, at 4:04 PM, "Weir, Jason" 
>> <jason.weir at ...14916...> wrote:
>> 
>>> Nigel,
>>> 
>>> I changed the rules file name to snortrules-snapshot-edge.tar.gz as
>>> indicated below and I'm intermittently still getting the 500 error..
>>> 
>>> "Error 500 when fetching
>>> 
>> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
>>> /usr/local/bin/pulledpork.pl line 390"
>>> 
>>> Just tried it manually and it worked fine...  You guys 
>> having a delivery
>>> problem?
>>> 
>>> -J
>>> 
>>>> -----Original Message-----
>>>> From: Nigel Houghton [mailto:nhoughton at ...1935...] 
>>>> Sent: Wednesday, February 16, 2011 1:38 PM
>>>> To: Weir, Jason
>>>> Cc: Snort Users
>>>> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
>>>> 
>>>> 
>>>> On Wed, 16 Feb 2011 13:32:45 -0500, Nigel Houghton wrote:
>>>>> On Wed, 16 Feb 2011 13:05:09 -0500, Weir, Jason wrote:
>>>>>> Doesn't happen all of the time...
>>>>>> 
>>>>>> Error 500 when fetching
>>>>>> 
>>>> 
>> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
>>>>>> /usr/local/bin/pulledpork.pl line 390
>>>>>> 
>>>>>> -J
>>>>> 
>>>>> That's not a PulledPork error, that's a website error. The 
>>>> file isn't 
>>>>> there, which strictly speaking shouldn't be a 500 server 
>> error, but 
>>>>> since the application that handles looking for the file 
>>>> can't find it, 
>>>>> the server will return the application error instead of a 
>>>> 404 not found.
>>>>> 
>>>>> With that said, I'll forward this to our Snort web team for 
>>>>> investigation.
>>>> 
>>>> Actually, no I won't. After looking at snort.org I see that 
>>>> the 2.9.0.4 
>>>> rule set is not yet available for registered users. So, 
>> you'll get a 
>>>> 404 (or 500) for the rules file too.
>>>> 
>>>> You can fix this for future use by using 
>>>> snortrules-snapshot-edge.tar.gz as the name of your rules 
>> file. That 
>>>> way, you will get the latest version of rules for either 
>>>> registered or 
>>>> subscriber rules automatically. Right now, for registered 
>> users this 
>>>> will be a 2.9.0.3 rule set. Which should work with 2.9.0.4.
>>>> 
>>>> Now, per the rules of the drinking game, I will be taking a 
>>>> shot or two 
>>>> for replying to my own email.
>>>> 
>>>> --
>>>> Nigel Houghton
>>>> Head Mentalist
>>>> SF VRT Department of Intelligence Excellence
>>>> http://vrt-blog.snort.org/ && http://labs.snort.org/
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net





More information about the Snort-users mailing list