[Snort-users] Extracting snortrules-2931.tar.gz

Jeremy Hoel jthoel at ...11827...
Tue Oct 9 17:14:31 EDT 2012


Your command is fine.  as long as it's on one long line.  whats the
output once you enter
'wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code> -O snortrules-2931.tar.gz'

what does it show?

if it shows:

wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code> -O snortrules-2931.tar.gz
--2012-10-09 21:08:57--
http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code>
Resolving www.snort.org... 23.23.170.170
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2012-10-09 21:08:58 ERROR 403: Forbidden.

then that's the problem.  It's forbidden due to a timeout on the oink
code.. it can only be used once in 15 minutes.  You might try getting
a new one and not sharing it on the list since someone else could be
using it.. or you could have another process trying to use it on your
same box.


it should show something like..

wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<my
code removed> -O snortrules-2931.tar.gz
--2012-10-09 21:11:00--
http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<my
code removed>
Resolving www.snort.org... 23.23.170.170
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://s3.amazonaws.com/snort-org/www/rules/20120906/snortrules-snapshot-2931.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1349817361&Signature=85H8TzuDRSBsHob9%2BLbqYFdPgAk%3D
[following]
--2012-10-09 21:11:01--
http://s3.amazonaws.com/snort-org/www/rules/20120906/snortrules-snapshot-2931.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1349817361&Signature=85H8TzuDRSBsHob9%2BLbqYFdPgAk%3D
Resolving s3.amazonaws.com... 72.21.203.148
Connecting to s3.amazonaws.com|72.21.203.148|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22471221 (21M) [binary/octet-stream]
Saving to: “snortrules-2931.tar.gz”

19% [==========================>

   ] 4,369,969    187K/s  eta 1m 50s


And finish up at 21 Megs.. then the tar command should work.
2012-10-09 21:13:53 (144 KB/s) - “snortrules-2931.tar.gz” saved
[22471221/22471221]

then you run the tar command.




On Tue, Oct 9, 2012 at 9:05 PM, Akinwale Fasuru <fashman2k1 at ...131...> wrote:
> Hey Jeremy,
> Here is the command i used;
>
> wget
> http://www.snort.org/sub-rules/snortrules-snapshot-
> 2931.tar.gz/3b6de1b425e1a20c6f85e705f3631bc958ad11db -O snortrules-2931.tar.gz
>
> Then i issued this command:
>
> tar xzvf snortrules-2931.tar.gz
>
> Then it came up with this again:
>
> gzip: stdin: not in gzip format
> tar: Child returned status 1
> tar: Error is not recoverable: exiting now
>
> And my internet connection is fine.
>
> Pls what do u tink?
>
>
>
> --- On Tue, 10/9/12, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>> From: Jeremy Hoel <jthoel at ...11827...>
>> Subject: Re: [Snort-users] Extracting snortrules-2931.tar.gz
>> To: "AllowOverride" <allowoverride at ...11827...>
>> Cc: "snort-users" <snort-users at lists.sourceforge.net>
>> Date: Tuesday, October 9, 2012, 3:17 PM
>> And like i said in the email before
>> you responded, you can find the
>> file name right from the website.. when you click download
>> rules.
>> http://snort.org/snort-rules/?
>>
>> Snort v2.9
>> MD5 - 09 Oct, 2012
>> snortrules-snapshot-2931.tar.gz
>> MD5 - 09 Oct, 2012
>> snortrules-snapshot-2912.tar.gz
>> MD5 - 09 Oct, 2012
>> snortrules-snapshot-2923.tar.gz
>> MD5 - 09 Oct, 2012
>> snortrules-snapshot-2930.tar.gz
>>
>>
>>
>> It's right there.. you just have to look at the page.
>> Reading is fundamental.
>>
>>
>>
>>
>> On Tue, Oct 9, 2012 at 8:16 PM, AllowOverride <allowoverride at ...11827...>
>> wrote:
>> > we dont know the file name!!! sheshh
>> >
>> > On Tue, 2012-10-09 at 20:02 +0000, Jeremy Hoel wrote:
>> >> The page shows:
>> >>
>> >> wget http://www.snort.org/sub-rules/<filename>/<oinkcode
>> here> \
>> >>              -O
>> <output-filename>
>> >>
>> >>
>> >> It's pretty clear.  put the proper, correct,
>> current filename where is
>> >> says filename and things work.  They shouldn't
>> have to hold hands and
>> >> walk through the whole thing.
>> >>
>> >> When you try and use examples you have to expect
>> and realize that the
>> >> example might be out of date and maybe try and
>> figure out what it
>> >> might take to make it work.
>> >>
>> >>
>> >>
>> >> On Tue, Oct 9, 2012 at 7:51 PM, AllowOverride
>> <allowoverride at ...11827...>
>> wrote:
>> >> > when i say something doesnt work, i mean, it
>> doesnt work:
>> >> >
>> >> > wget
>> >> > http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry--2012-10-09
>> 12:44:42--  http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry
>> >> > Resolving www.snort.org... 23.23.170.170
>> >> > Connecting to
>> www.snort.org|23.23.170.170|:80... connected.
>> >> > HTTP request sent, awaiting response... 403
>> Forbidden
>> >> > 2012-10-09 12:44:42 ERROR 403: Forbidden.
>> >> >
>> >> > wget
>> >> > http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
>> >> > --2012-10-09 12:45:54--
>> >> > http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
>> >> > Resolving www.snort.org... 23.23.143.143
>> >> > Connecting to
>> www.snort.org|23.23.143.143|:80... connected.
>> >> > HTTP request sent, awaiting response... 403
>> Forbidden
>> >> > 2012-10-09 12:45:56 ERROR 403: Forbidden.
>> >> >
>> >> > and just for good measure
>> >> >
>> >> > wget
>> >> > http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/sorry-hidden
>> >> > --2012-10-09 12:47:03--
>> >> > http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/hidden-again
>> >> > Resolving www.snort.org... 23.23.170.170
>> >> > Connecting to
>> www.snort.org|23.23.170.170|:80... connected.
>> >> > HTTP request sent, awaiting response... 403
>> Forbidden
>> >> > 2012-10-09 12:47:04 ERROR 403: Forbidden.
>> >> >
>> >> >
>> >> > now. the last one shouldn't work, becuz im not
>> a register user
>> >> > the sub rules works if you know what you are
>> doing...
>> >> >
>> >> > If you include 2931 inplace of 2900 it will
>> work, only if you are in the
>> >> > system for oinkcode. BUT, that is not what is
>> autopopulated for you on
>> >> > the oinkcode page. it says, 2900. it wont
>> work.
>> >> >
>> >> > all i am saying fix is, change it to reflect
>> the CURRENT version. thats
>> >> > all. not everyone will catch it, and ya know,
>> end up asking the question
>> >> > here.
>> >> >
>> >> > let's let the developers put the current
>> version as well. takes what, 2
>> >> > seconds and saves users HOURS of wtf..
>> headaches...
>> >> >
>> >> > thanks
>> >> >
>> >> >
>> >> >
>> >> > On Tue, 2012-10-09 at 19:19 +0000, Jeremy Hoel
>> wrote:
>> >> >> The link he was using worked fine for me.
>> I tested the get and got the
>> >> >> rules with no no problem.. with the link
>> he had. His problem is not
>> >> >> related to a bad link.
>> >> >>
>> >> >> The examples show that you need a file
>> name
>> >> >> (http://snort.org/snort-rules/cli) and when you go to
>> the page before,
>> >> >> the main download page (http://snort.org/snort-rules/?), it shows the
>> >> >> file names. They are not trying to make
>> this overly confusing and
>> >> >> hard.. but it does require some effort and
>> understanding on the
>> >> >> installers part. Or, you could sign in and
>> grab them from the gui, or
>> >> >> use pullpork.  3 different methods to
>> get the rules..
>> >> >>
>> >> >> The examples are generic enough that they
>> don't have to change
>> >> >> whenever the rule file changes.  Lets
>> let the developers work on
>> >> >> keeping the software fixed and nor worry
>> about the web page not having
>> >> >> the most specific instructions.
>> >> >>
>> >> >>
>> >> >> On Tue, Oct 9, 2012 at 7:12 PM,
>> AllowOverride <allowoverride at ...11827...>
>> wrote:
>> >> >> > jer,
>> >> >> > i tried the preferred method
>> displayed on oinkcode page.
>> >> >> > it doesnt work for sub/reg unless you
>> know to put 2931. also, other
>> >> >> > methods of wget'ing the url according
>> to docs are supposed to work but
>> >> >> > do not, unless know the exact file
>> name, and thats not always easy to
>> >> >> > find on the ftp site, or by other
>> methods.
>> >> >> >
>> >> >> > just a heads up, that kept me off
>> task for a few days trying to figure
>> >> >> > it out.
>> >> >> >
>> >> >> > suggestion... fix the examples on the
>> oinkcode page.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On Tue, 2012-10-09 at 17:12 +0000,
>> Jeremy Hoel wrote:
>> >> >> >> The answer is in the text file
>> that you sent back.
>> >> >> >>
>> >> >> >> 2012-10-04 14:07:24 ERROR 403:
>> Forbidden.
>> >> >> >>
>> >> >> >> so however you tried to get the
>> file, it didn't work.  If you used
>> >> >> >> wget and an oink code then you
>> need to check the code.
>> >> >> >>
>> >> >> >>
>> >> >> >> On Tue, Oct 9, 2012 at 4:59 PM,
>> Akinwale Fasuru <fashman2k1 at ...131...>
>> wrote:
>> >> >> >> > Here is what i gath after
>> running cat....
>> >> >> >> >
>> >> >> >> > --2012-10-04
>> 14:07:23--  http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/3b6de1b425e1a20c6f85e705f3631bc958ad11db
>> >> >> >> > Resolving www.snort.org...
>> 23.23.170.170
>> >> >> >> > Connecting to
>> www.snort.org|23.23.170.170|:80... connected.
>> >> >> >> > HTTP request sent, awaiting
>> response... 403 Forbidden
>> >> >> >> > 2012-10-04 14:07:24 ERROR
>> 403: Forbidden.
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > What do u think?
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > --- On Tue, 10/9/12, Jeremy
>> Hoel <jthoel at ...11827...>
>> wrote:
>> >> >> >> >
>> >> >> >> >> From: Jeremy Hoel <jthoel at ...11827...>
>> >> >> >> >> Subject: Re:
>> [Snort-users] Extracting snortrules-2931.tar.gz
>> >> >> >> >> To: "Akinwale Fasuru"
>> <fashman2k1 at ...131...>
>> >> >> >> >> Cc: snort-users at lists.sourceforge.net
>> >> >> >> >> Date: Tuesday, October
>> 9, 2012, 11:53 AM
>> >> >> >> >> to check the size of a
>> file, go to
>> >> >> >> >> the directory where the
>> file is and
>> >> >> >> >> run 'ls -al'.
>> >> >> >> >>
>> >> >> >> >> But since 'file' said
>> it's text and not a tar.gz or zip
>> >> >> >> >> file, then
>> >> >> >> >> that's the
>> problem.  Your download is not correct.
>> >> >> >> >>
>> >> >> >> >> go ahead and run 'cat
>> snortrules-2931.tar.gz'
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> On Tue, Oct 9, 2012 at
>> 4:50 PM, Akinwale Fasuru <fashman2k1 at ...131...>
>> >> >> >> >> wrote:
>> >> >> >> >> > I replied the email
>> you sent earlier saying that i
>> >> >> >> >> didnt know how to check
>> for te size of the file. But i did
>> >> >> >> >> rule the command u asked
>> me here is the response
>> >> >> >> >> >
>> >> >> >> >> >
>> snortrules-2931.tar.gz: ASCII text
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> > --- On Tue,
>> 10/9/12, Jeremy Hoel <jthoel at ...11827...>
>> >> >> >> >> wrote:
>> >> >> >> >> >
>> >> >> >> >> >> From: Jeremy
>> Hoel <jthoel at ...11827...>
>> >> >> >> >> >> Subject: Re:
>> [Snort-users] Extracting
>> >> >> >> >> snortrules-2931.tar.gz
>> >> >> >> >> >> To: "Akinwale
>> Fasuru" <fashman2k1 at ...131...>
>> >> >> >> >> >> Cc: snort-users at lists.sourceforge.net
>> >> >> >> >> >> Date: Tuesday,
>> October 9, 2012, 11:46 AM
>> >> >> >> >> >> You never got
>> back to me about the
>> >> >> >> >> >> size of the
>> file and if the file
>> >> >> >> >> >> was complete.
>> >> >> >> >> >>
>> >> >> >> >> >> the error makes
>> it sound like it's not a tar.gz
>> >> >> >> >> file.
>> >> >> >> >> >>
>> >> >> >> >> >> you need to
>> very you got the whole file and that
>> >> >> >> >> it's not
>> >> >> >> >> >> just a text
>> error.
>> >> >> >> >> >>
>> >> >> >> >> >> run 'file
>> snortrules-2931.tar.gz' and see what it
>> >> >> >> >> says.
>> >> >> >> >> >>
>> >> >> >> >> >> On Tue, Oct 9,
>> 2012 at 4:29 PM, Akinwale Fasuru
>> >> >> >> >> <fashman2k1 at ...131...>
>> >> >> >> >> >> wrote:
>> >> >> >> >> >> > Hello
>> everyone,
>> >> >> >> >> >> >  I am
>> still having problems extracting
>> >> >> >> >> >>
>> snortrules-2931.tar.gz
>> >> >> >> >> >> >
>> >> >> >> >> >> > tar -xzvf
>> snortrules-2931.tar.gz
>> >> >> >> >> >> >> I get
>> this erro message
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> zip:
>> stdin: not in gzip format
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> tar:
>> Child returned status 1
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> tar:
>> Error is not recoverable: exiting
>> >> >> >> >> now
>> >> >> >> >> >> >
>> >> >> >> >> >> >
>> >> >> >> >> >>
>> >> >> >> >>
>> ------------------------------------------------------------------------------
>> >> >> >> >> >> > Don't let
>> slow site performance ruin your
>> >> >> >> >> business.
>> >> >> >> >> >> Deploy New
>> Relic APM
>> >> >> >> >> >> > Deploy New
>> Relic app performance management
>> >> >> >> >> and know
>> >> >> >> >> >> exactly
>> >> >> >> >> >> > what is
>> happening inside your Ruby, Python,
>> >> >> >> >> PHP, Java,
>> >> >> >> >> >> and .NET app
>> >> >> >> >> >> > Try New
>> Relic at no cost today and get our
>> >> >> >> >> sweet Data
>> >> >> >> >> >> Nerd shirt
>> too!
>> >> >> >> >> >> > http://p.sf.net/sfu/newrelic-dev2dev
>> >> >> >> >> >> >
>> >> >> >> >>
>> _______________________________________________
>> >> >> >> >> >> >
>> Snort-users mailing list
>> >> >> >> >> >> > Snort-users at lists.sourceforge.net
>> >> >> >> >> >> > Go to this
>> URL to change user options or
>> >> >> >> >> unsubscribe:
>> >> >> >> >> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> >> >> >> >
>> Snort-users list archive:
>> >> >> >> >> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >> >> >> >> >
>> >> >> >> >> >> > Please
>> visit http://blog.snort.org to stay current on
>> >> >> >> >> >> all the latest
>> Snort news!
>> >> >> >> >> >>
>> >> >> >> >>
>> >> >> >>
>> >> >> >>
>> ------------------------------------------------------------------------------
>> >> >> >> Don't let slow site performance
>> ruin your business. Deploy New Relic APM
>> >> >> >> Deploy New Relic app performance
>> management and know exactly
>> >> >> >> what is happening inside your
>> Ruby, Python, PHP, Java, and .NET app
>> >> >> >> Try New Relic at no cost today
>> and get our sweet Data Nerd shirt too!
>> >> >> >> http://p.sf.net/sfu/newrelic-dev2dev
>> >> >> >>
>> _______________________________________________
>> >> >> >> Snort-users mailing list
>> >> >> >> Snort-users at lists.sourceforge.net
>> >> >> >> Go to this URL to change user
>> options or unsubscribe:
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> >> Snort-users list archive:
>> >> >> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >> >>
>> >> >> >> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>> >> >> >
>> >> >
>> >
>>
>> ------------------------------------------------------------------------------
>> Don't let slow site performance ruin your business. Deploy
>> New Relic APM
>> Deploy New Relic app performance management and know
>> exactly
>> what is happening inside your Ruby, Python, PHP, Java, and
>> .NET app
>> Try New Relic at no cost today and get our sweet Data Nerd
>> shirt too!
>> http://p.sf.net/sfu/newrelic-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>




More information about the Snort-users mailing list