[Snort-users] Intermittent Pulled Pork Error

Weir, Jason jason.weir at ...14916...
Thu Feb 17 10:37:39 EST 2011


Thanks Joel...

I'd prefer updates as soon as they are available (within a couple hours
at least) without manual intervention - thus the frequent checking via
cron.

The hash file is less than 1K - I would suspect I could check it on the
minute and not overload the cloud...

-J

> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Thursday, February 17, 2011 10:29 AM
> To: Weir, Jason
> Cc: Nigel Houghton; Snort Users
> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
> 
> 
> I'll let JJ address the PP area,
> 
> However, you are correct.  That's one of the advantages of 
> PulledPork is that it checks the md5 to see if there is a 
> different in the ruleset before an attempted download.
> 
> My reason for asking is because we generally only release 
> rules, probably twice a week.  (sometimes more, depending on 
> what's going on)
> 
> Joel
> 
> On Feb 17, 2011, at 8:29 AM, Weir, Jason wrote:
> 
> > Unless I'm incorrect - I'm only pulling rules when the md5 
> hash file has
> > changed... I do have PP checking every couple hours (cron) for an
> > updated md5.
> > 
> > I know that's way more often then you push updates, but it 
> should have
> > no effect on the file availability...
> > 
> > FYI - overnight PP fetching the 2.9.0.4 rules failed half the time,
> > another sensor still using oinkmaster fetching the 2.8.6.1 
> rules worked
> > without error every time..
> > 
> > So maybe this is a PP problem???
> > 
> > -J
> > 
> >> -----Original Message-----
> >> From: Joel Esler [mailto:jesler at ...1935...] 
> >> Sent: Wednesday, February 16, 2011 10:04 PM
> >> To: Weir, Jason
> >> Cc: Nigel Houghton; Snort Users
> >> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
> >> 
> >> 
> >> We shouldn't. We've notified the web-team. How often are you 
> >> trying to pull rule updates?  Just out of curiosity. 
> >> 
> >> -- 
> >> Sent from my iPad
> >> Please excuse the brevity
> >> 
> >> On Feb 16, 2011, at 4:04 PM, "Weir, Jason" 
> >> <jason.weir at ...14916...> wrote:
> >> 
> >>> Nigel,
> >>> 
> >>> I changed the rules file name to 
> snortrules-snapshot-edge.tar.gz as
> >>> indicated below and I'm intermittently still getting the 
> 500 error..
> >>> 
> >>> "Error 500 when fetching
> >>> 
> >> 
> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
> >>> /usr/local/bin/pulledpork.pl line 390"
> >>> 
> >>> Just tried it manually and it worked fine...  You guys 
> >> having a delivery
> >>> problem?
> >>> 
> >>> -J
> >>> 
> >>>> -----Original Message-----
> >>>> From: Nigel Houghton [mailto:nhoughton at ...1935...] 
> >>>> Sent: Wednesday, February 16, 2011 1:38 PM
> >>>> To: Weir, Jason
> >>>> Cc: Snort Users
> >>>> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
> >>>> 
> >>>> 
> >>>> On Wed, 16 Feb 2011 13:32:45 -0500, Nigel Houghton wrote:
> >>>>> On Wed, 16 Feb 2011 13:05:09 -0500, Weir, Jason wrote:
> >>>>>> Doesn't happen all of the time...
> >>>>>> 
> >>>>>> Error 500 when fetching
> >>>>>> 
> >>>> 
> >> 
> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
> >>>>>> /usr/local/bin/pulledpork.pl line 390
> >>>>>> 
> >>>>>> -J
> >>>>> 
> >>>>> That's not a PulledPork error, that's a website error. The 
> >>>> file isn't 
> >>>>> there, which strictly speaking shouldn't be a 500 server 
> >> error, but 
> >>>>> since the application that handles looking for the file 
> >>>> can't find it, 
> >>>>> the server will return the application error instead of a 
> >>>> 404 not found.
> >>>>> 
> >>>>> With that said, I'll forward this to our Snort web team for 
> >>>>> investigation.
> >>>> 
> >>>> Actually, no I won't. After looking at snort.org I see that 
> >>>> the 2.9.0.4 
> >>>> rule set is not yet available for registered users. So, 
> >> you'll get a 
> >>>> 404 (or 500) for the rules file too.
> >>>> 
> >>>> You can fix this for future use by using 
> >>>> snortrules-snapshot-edge.tar.gz as the name of your rules 
> >> file. That 
> >>>> way, you will get the latest version of rules for either 
> >>>> registered or 
> >>>> subscriber rules automatically. Right now, for registered 
> >> users this 
> >>>> will be a 2.9.0.3 rule set. Which should work with 2.9.0.4.
> >>>> 
> >>>> Now, per the rules of the drinking game, I will be taking a 
> >>>> shot or two 
> >>>> for replying to my own email.
> >>>> 
> >>>> --
> >>>> Nigel Houghton
> >>>> Head Mentalist
> >>>> SF VRT Department of Intelligence Excellence
> >>>> http://vrt-blog.snort.org/ && http://labs.snort.org/


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Snort-users mailing list