[Snort-users] Intermittent Pulled Pork Error

Joel Esler jesler at ...1935...
Thu Feb 17 10:46:57 EST 2011


Yup.. I agree.  Was just trying to make your life easier.

As Nigel said before tho, we've forwarded this over to our web-team for them to look at.

Joel

On Feb 17, 2011, at 10:37 AM, Weir, Jason wrote:

> Thanks Joel...
> 
> I'd prefer updates as soon as they are available (within a couple hours
> at least) without manual intervention - thus the frequent checking via
> cron.
> 
> The hash file is less than 1K - I would suspect I could check it on the
> minute and not overload the cloud...
> 
> -J
> 
>> -----Original Message-----
>> From: Joel Esler [mailto:jesler at ...1935...] 
>> Sent: Thursday, February 17, 2011 10:29 AM
>> To: Weir, Jason
>> Cc: Nigel Houghton; Snort Users
>> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
>> 
>> 
>> I'll let JJ address the PP area,
>> 
>> However, you are correct.  That's one of the advantages of 
>> PulledPork is that it checks the md5 to see if there is a 
>> different in the ruleset before an attempted download.
>> 
>> My reason for asking is because we generally only release 
>> rules, probably twice a week.  (sometimes more, depending on 
>> what's going on)
>> 
>> Joel
>> 
>> On Feb 17, 2011, at 8:29 AM, Weir, Jason wrote:
>> 
>>> Unless I'm incorrect - I'm only pulling rules when the md5 
>> hash file has
>>> changed... I do have PP checking every couple hours (cron) for an
>>> updated md5.
>>> 
>>> I know that's way more often then you push updates, but it 
>> should have
>>> no effect on the file availability...
>>> 
>>> FYI - overnight PP fetching the 2.9.0.4 rules failed half the time,
>>> another sensor still using oinkmaster fetching the 2.8.6.1 
>> rules worked
>>> without error every time..
>>> 
>>> So maybe this is a PP problem???
>>> 
>>> -J
>>> 
>>>> -----Original Message-----
>>>> From: Joel Esler [mailto:jesler at ...1935...] 
>>>> Sent: Wednesday, February 16, 2011 10:04 PM
>>>> To: Weir, Jason
>>>> Cc: Nigel Houghton; Snort Users
>>>> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
>>>> 
>>>> 
>>>> We shouldn't. We've notified the web-team. How often are you 
>>>> trying to pull rule updates?  Just out of curiosity. 
>>>> 
>>>> -- 
>>>> Sent from my iPad
>>>> Please excuse the brevity
>>>> 
>>>> On Feb 16, 2011, at 4:04 PM, "Weir, Jason" 
>>>> <jason.weir at ...14916...> wrote:
>>>> 
>>>>> Nigel,
>>>>> 
>>>>> I changed the rules file name to 
>> snortrules-snapshot-edge.tar.gz as
>>>>> indicated below and I'm intermittently still getting the 
>> 500 error..
>>>>> 
>>>>> "Error 500 when fetching
>>>>> 
>>>> 
>> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
>>>>> /usr/local/bin/pulledpork.pl line 390"
>>>>> 
>>>>> Just tried it manually and it worked fine...  You guys 
>>>> having a delivery
>>>>> problem?
>>>>> 
>>>>> -J
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: Nigel Houghton [mailto:nhoughton at ...1935...] 
>>>>>> Sent: Wednesday, February 16, 2011 1:38 PM
>>>>>> To: Weir, Jason
>>>>>> Cc: Snort Users
>>>>>> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
>>>>>> 
>>>>>> 
>>>>>> On Wed, 16 Feb 2011 13:32:45 -0500, Nigel Houghton wrote:
>>>>>>> On Wed, 16 Feb 2011 13:05:09 -0500, Weir, Jason wrote:
>>>>>>>> Doesn't happen all of the time...
>>>>>>>> 
>>>>>>>> Error 500 when fetching
>>>>>>>> 
>>>>>> 
>>>> 
>> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
>>>>>>>> /usr/local/bin/pulledpork.pl line 390
>>>>>>>> 
>>>>>>>> -J
>>>>>>> 
>>>>>>> That's not a PulledPork error, that's a website error. The 
>>>>>> file isn't 
>>>>>>> there, which strictly speaking shouldn't be a 500 server 
>>>> error, but 
>>>>>>> since the application that handles looking for the file 
>>>>>> can't find it, 
>>>>>>> the server will return the application error instead of a 
>>>>>> 404 not found.
>>>>>>> 
>>>>>>> With that said, I'll forward this to our Snort web team for 
>>>>>>> investigation.
>>>>>> 
>>>>>> Actually, no I won't. After looking at snort.org I see that 
>>>>>> the 2.9.0.4 
>>>>>> rule set is not yet available for registered users. So, 
>>>> you'll get a 
>>>>>> 404 (or 500) for the rules file too.
>>>>>> 
>>>>>> You can fix this for future use by using 
>>>>>> snortrules-snapshot-edge.tar.gz as the name of your rules 
>>>> file. That 
>>>>>> way, you will get the latest version of rules for either 
>>>>>> registered or 
>>>>>> subscriber rules automatically. Right now, for registered 
>>>> users this 
>>>>>> will be a 2.9.0.3 rule set. Which should work with 2.9.0.4.
>>>>>> 
>>>>>> Now, per the rules of the drinking game, I will be taking a 
>>>>>> shot or two 
>>>>>> for replying to my own email.
>>>>>> 
>>>>>> --
>>>>>> Nigel Houghton
>>>>>> Head Mentalist
>>>>>> SF VRT Department of Intelligence Excellence
>>>>>> http://vrt-blog.snort.org/ && http://labs.snort.org/
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net





More information about the Snort-users mailing list