[Snort-users] Intermittent Pulled Pork Error

JJ Cummings cummingsj at ...11827...
Thu Feb 17 12:35:18 EST 2011


That is correct, md5 check then download or not, depending on hash change... As to the intermittent failures, I don't see what could be causing this in PP but if we can get the extra verbose output, might prove useful... (-vv)

Sent from the iRoad

On Feb 17, 2011, at 5:29, "Weir, Jason" <jason.weir at ...14916...> wrote:

> Unless I'm incorrect - I'm only pulling rules when the md5 hash file has
> changed... I do have PP checking every couple hours (cron) for an
> updated md5.
> 
> I know that's way more often then you push updates, but it should have
> no effect on the file availability...
> 
> FYI - overnight PP fetching the 2.9.0.4 rules failed half the time,
> another sensor still using oinkmaster fetching the 2.8.6.1 rules worked
> without error every time..
> 
> So maybe this is a PP problem???
> 
> -J
> 
>> -----Original Message-----
>> From: Joel Esler [mailto:jesler at ...1935...] 
>> Sent: Wednesday, February 16, 2011 10:04 PM
>> To: Weir, Jason
>> Cc: Nigel Houghton; Snort Users
>> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
>> 
>> 
>> We shouldn't. We've notified the web-team. How often are you 
>> trying to pull rule updates?  Just out of curiosity. 
>> 
>> -- 
>> Sent from my iPad
>> Please excuse the brevity
>> 
>> On Feb 16, 2011, at 4:04 PM, "Weir, Jason" 
>> <jason.weir at ...14916...> wrote:
>> 
>>> Nigel,
>>> 
>>> I changed the rules file name to snortrules-snapshot-edge.tar.gz as
>>> indicated below and I'm intermittently still getting the 500 error..
>>> 
>>> "Error 500 when fetching
>>> 
>> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
>>> /usr/local/bin/pulledpork.pl line 390"
>>> 
>>> Just tried it manually and it worked fine...  You guys 
>> having a delivery
>>> problem?
>>> 
>>> -J
>>> 
>>>> -----Original Message-----
>>>> From: Nigel Houghton [mailto:nhoughton at ...1935...] 
>>>> Sent: Wednesday, February 16, 2011 1:38 PM
>>>> To: Weir, Jason
>>>> Cc: Snort Users
>>>> Subject: Re: [Snort-users] Intermittent Pulled Pork Error
>>>> 
>>>> 
>>>> On Wed, 16 Feb 2011 13:32:45 -0500, Nigel Houghton wrote:
>>>>> On Wed, 16 Feb 2011 13:05:09 -0500, Weir, Jason wrote:
>>>>>> Doesn't happen all of the time...
>>>>>> 
>>>>>> Error 500 when fetching
>>>>>> 
>>>> 
>> https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at
>>>>>> /usr/local/bin/pulledpork.pl line 390
>>>>>> 
>>>>>> -J
>>>>> 
>>>>> That's not a PulledPork error, that's a website error. The 
>>>> file isn't 
>>>>> there, which strictly speaking shouldn't be a 500 server 
>> error, but 
>>>>> since the application that handles looking for the file 
>>>> can't find it, 
>>>>> the server will return the application error instead of a 
>>>> 404 not found.
>>>>> 
>>>>> With that said, I'll forward this to our Snort web team for 
>>>>> investigation.
>>>> 
>>>> Actually, no I won't. After looking at snort.org I see that 
>>>> the 2.9.0.4 
>>>> rule set is not yet available for registered users. So, 
>> you'll get a 
>>>> 404 (or 500) for the rules file too.
>>>> 
>>>> You can fix this for future use by using 
>>>> snortrules-snapshot-edge.tar.gz as the name of your rules 
>> file. That 
>>>> way, you will get the latest version of rules for either 
>>>> registered or 
>>>> subscriber rules automatically. Right now, for registered 
>> users this 
>>>> will be a 2.9.0.3 rule set. Which should work with 2.9.0.4.
>>>> 
>>>> Now, per the rules of the drinking game, I will be taking a 
>>>> shot or two 
>>>> for replying to my own email.
>>>> 
>>>> --
>>>> Nigel Houghton
>>>> Head Mentalist
>>>> SF VRT Department of Intelligence Excellence
>>>> http://vrt-blog.snort.org/ && http://labs.snort.org/
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list