[Snort-users] Extracting snortrules-2931.tar.gz

Joel Esler jesler at ...1935...
Tue Oct 9 20:56:11 EDT 2012


I'll get this fixed. 

Sent from my iPhone

On Oct 9, 2012, at 8:41 PM, AllowOverride <allowoverride at ...11827...> wrote:

> i am referring to this page:
> 
> https://www.snort.org/account/oinkcode
> 
> its NOT right there for you, it says 2900.
> i see what your are talking about, but others surely wont...
> 
> the process is, you read the config, you substitute what is displayed on
> that link. it wont work, UNLESS you know the file name, by clicking 
> a diff page on snort.org. sorry, but i didn't see that page until much
> later, the one you referred too. so when someone updates the page, i
> figure, incase someone takes the same path i do, and copies the link as
> is, with their oinkcode attached, which logically you would do at first
> glance, as you are using it for pulledpork.conf. this discussion is the
> result. 
> 
> i figure if they update the page you found first time, with 2931, so
> that we can cut paste it, to use with pp.pl, then there will be no
> problems. thats all, nothing more, 
> 
> On Tue, 2012-10-09 at 20:17 +0000, Jeremy Hoel wrote:
>> And like i said in the email before you responded, you can find the
>> file name right from the website.. when you click download rules.
>> http://snort.org/snort-rules/?
>> 
>> Snort v2.9
>> MD5 - 09 Oct, 2012
>> snortrules-snapshot-2931.tar.gz
>> MD5 - 09 Oct, 2012
>> snortrules-snapshot-2912.tar.gz
>> MD5 - 09 Oct, 2012
>> snortrules-snapshot-2923.tar.gz
>> MD5 - 09 Oct, 2012
>> snortrules-snapshot-2930.tar.gz
>> 
>> 
>> 
>> It's right there.. you just have to look at the page.  Reading is fundamental.
>> 
>> 
>> 
>> 
>> On Tue, Oct 9, 2012 at 8:16 PM, AllowOverride <allowoverride at ...11827...> wrote:
>>> we dont know the file name!!! sheshh
>>> 
>>> On Tue, 2012-10-09 at 20:02 +0000, Jeremy Hoel wrote:
>>>> The page shows:
>>>> 
>>>> wget http://www.snort.org/sub-rules/<filename>/<oinkcode here> \
>>>>             -O <output-filename>
>>>> 
>>>> 
>>>> It's pretty clear.  put the proper, correct, current filename where is
>>>> says filename and things work.  They shouldn't have to hold hands and
>>>> walk through the whole thing.
>>>> 
>>>> When you try and use examples you have to expect and realize that the
>>>> example might be out of date and maybe try and figure out what it
>>>> might take to make it work.
>>>> 
>>>> 
>>>> 
>>>> On Tue, Oct 9, 2012 at 7:51 PM, AllowOverride <allowoverride at ...14459.....> wrote:
>>>>> when i say something doesnt work, i mean, it doesnt work:
>>>>> 
>>>>> wget
>>>>> http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry--2012-10-09 12:44:42--  http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry
>>>>> Resolving www.snort.org... 23.23.170.170
>>>>> Connecting to www.snort.org|23.23.170.170|:80... connected.
>>>>> HTTP request sent, awaiting response... 403 Forbidden
>>>>> 2012-10-09 12:44:42 ERROR 403: Forbidden.
>>>>> 
>>>>> wget
>>>>> http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
>>>>> --2012-10-09 12:45:54--
>>>>> http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
>>>>> Resolving www.snort.org... 23.23.143.143
>>>>> Connecting to www.snort.org|23.23.143.143|:80... connected.
>>>>> HTTP request sent, awaiting response... 403 Forbidden
>>>>> 2012-10-09 12:45:56 ERROR 403: Forbidden.
>>>>> 
>>>>> and just for good measure
>>>>> 
>>>>> wget
>>>>> http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/sorry-hidden
>>>>> --2012-10-09 12:47:03--
>>>>> http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/hidden-again
>>>>> Resolving www.snort.org... 23.23.170.170
>>>>> Connecting to www.snort.org|23.23.170.170|:80... connected.
>>>>> HTTP request sent, awaiting response... 403 Forbidden
>>>>> 2012-10-09 12:47:04 ERROR 403: Forbidden.
>>>>> 
>>>>> 
>>>>> now. the last one shouldn't work, becuz im not a register user
>>>>> the sub rules works if you know what you are doing...
>>>>> 
>>>>> If you include 2931 inplace of 2900 it will work, only if you are in the
>>>>> system for oinkcode. BUT, that is not what is autopopulated for you on
>>>>> the oinkcode page. it says, 2900. it wont work.
>>>>> 
>>>>> all i am saying fix is, change it to reflect the CURRENT version. thats
>>>>> all. not everyone will catch it, and ya know, end up asking the question
>>>>> here.
>>>>> 
>>>>> let's let the developers put the current version as well. takes what, 2
>>>>> seconds and saves users HOURS of wtf.. headaches...
>>>>> 
>>>>> thanks
>>>>> 
>>>>> 
>>>>> 
>>>>> On Tue, 2012-10-09 at 19:19 +0000, Jeremy Hoel wrote:
>>>>>> The link he was using worked fine for me. I tested the get and got the
>>>>>> rules with no no problem.. with the link he had. His problem is not
>>>>>> related to a bad link.
>>>>>> 
>>>>>> The examples show that you need a file name
>>>>>> (http://snort.org/snort-rules/cli) and when you go to the page before,
>>>>>> the main download page (http://snort.org/snort-rules/?), it shows the
>>>>>> file names. They are not trying to make this overly confusing and
>>>>>> hard.. but it does require some effort and understanding on the
>>>>>> installers part. Or, you could sign in and grab them from the gui, or
>>>>>> use pullpork.  3 different methods to get the rules..
>>>>>> 
>>>>>> The examples are generic enough that they don't have to change
>>>>>> whenever the rule file changes.  Lets let the developers work on
>>>>>> keeping the software fixed and nor worry about the web page not having
>>>>>> the most specific instructions.
>>>>>> 
>>>>>> 
>>>>>> On Tue, Oct 9, 2012 at 7:12 PM, AllowOverride <allowoverride at ...13610...7...> wrote:
>>>>>>> jer,
>>>>>>> i tried the preferred method displayed on oinkcode page.
>>>>>>> it doesnt work for sub/reg unless you know to put 2931. also, other
>>>>>>> methods of wget'ing the url according to docs are supposed to work but
>>>>>>> do not, unless know the exact file name, and thats not always easy to
>>>>>>> find on the ftp site, or by other methods.
>>>>>>> 
>>>>>>> just a heads up, that kept me off task for a few days trying to figure
>>>>>>> it out.
>>>>>>> 
>>>>>>> suggestion... fix the examples on the oinkcode page.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Tue, 2012-10-09 at 17:12 +0000, Jeremy Hoel wrote:
>>>>>>>> The answer is in the text file that you sent back.
>>>>>>>> 
>>>>>>>> 2012-10-04 14:07:24 ERROR 403: Forbidden.
>>>>>>>> 
>>>>>>>> so however you tried to get the file, it didn't work.  If you used
>>>>>>>> wget and an oink code then you need to check the code.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Tue, Oct 9, 2012 at 4:59 PM, Akinwale Fasuru <fashman2k1 at ...3112......> wrote:
>>>>>>>>> Here is what i gath after running cat....
>>>>>>>>> 
>>>>>>>>> --2012-10-04 14:07:23--  http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/3b6de1b425e1a20c6f85e705f3631bc958ad11db
>>>>>>>>> Resolving www.snort.org... 23.23.170.170
>>>>>>>>> Connecting to www.snort.org|23.23.170.170|:80... connected.
>>>>>>>>> HTTP request sent, awaiting response... 403 Forbidden
>>>>>>>>> 2012-10-04 14:07:24 ERROR 403: Forbidden.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> What do u think?
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --- On Tue, 10/9/12, Jeremy Hoel <jthoel at ...11827...> wrote:
>>>>>>>>> 
>>>>>>>>>> From: Jeremy Hoel <jthoel at ...11827...>
>>>>>>>>>> Subject: Re: [Snort-users] Extracting snortrules-2931.tar.gz
>>>>>>>>>> To: "Akinwale Fasuru" <fashman2k1 at ...131...>
>>>>>>>>>> Cc: snort-users at lists.sourceforge.net
>>>>>>>>>> Date: Tuesday, October 9, 2012, 11:53 AM
>>>>>>>>>> to check the size of a file, go to
>>>>>>>>>> the directory where the file is and
>>>>>>>>>> run 'ls -al'.
>>>>>>>>>> 
>>>>>>>>>> But since 'file' said it's text and not a tar.gz or zip
>>>>>>>>>> file, then
>>>>>>>>>> that's the problem.  Your download is not correct.
>>>>>>>>>> 
>>>>>>>>>> go ahead and run 'cat snortrules-2931.tar.gz'
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On Tue, Oct 9, 2012 at 4:50 PM, Akinwale Fasuru <fashman2k1 at ...391...31...>
>>>>>>>>>> wrote:
>>>>>>>>>>> I replied the email you sent earlier saying that i
>>>>>>>>>> didnt know how to check for te size of the file. But i did
>>>>>>>>>> rule the command u asked me here is the response
>>>>>>>>>>> 
>>>>>>>>>>> snortrules-2931.tar.gz: ASCII text
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> --- On Tue, 10/9/12, Jeremy Hoel <jthoel at ...11827...>
>>>>>>>>>> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>> From: Jeremy Hoel <jthoel at ...11827...>
>>>>>>>>>>>> Subject: Re: [Snort-users] Extracting
>>>>>>>>>> snortrules-2931.tar.gz
>>>>>>>>>>>> To: "Akinwale Fasuru" <fashman2k1 at ...131...>
>>>>>>>>>>>> Cc: snort-users at lists.sourceforge.net
>>>>>>>>>>>> Date: Tuesday, October 9, 2012, 11:46 AM
>>>>>>>>>>>> You never got back to me about the
>>>>>>>>>>>> size of the file and if the file
>>>>>>>>>>>> was complete.
>>>>>>>>>>>> 
>>>>>>>>>>>> the error makes it sound like it's not a tar.gz
>>>>>>>>>> file.
>>>>>>>>>>>> 
>>>>>>>>>>>> you need to very you got the whole file and that
>>>>>>>>>> it's not
>>>>>>>>>>>> just a text error.
>>>>>>>>>>>> 
>>>>>>>>>>>> run 'file snortrules-2931.tar.gz' and see what it
>>>>>>>>>> says.
>>>>>>>>>>>> 
>>>>>>>>>>>> On Tue, Oct 9, 2012 at 4:29 PM, Akinwale Fasuru
>>>>>>>>>> <fashman2k1 at ...131...>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> Hello everyone,
>>>>>>>>>>>>> I am still having problems extracting
>>>>>>>>>>>> snortrules-2931.tar.gz
>>>>>>>>>>>>> 
>>>>>>>>>>>>> tar -xzvf snortrules-2931.tar.gz
>>>>>>>>>>>>>> I get this erro message
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> zip: stdin: not in gzip format
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> tar: Child returned status 1
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> tar: Error is not recoverable: exiting
>>>>>>>>>> now
>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>> Don't let slow site performance ruin your
>>>>>>>>>> business.
>>>>>>>>>>>> Deploy New Relic APM
>>>>>>>>>>>>> Deploy New Relic app performance management
>>>>>>>>>> and know
>>>>>>>>>>>> exactly
>>>>>>>>>>>>> what is happening inside your Ruby, Python,
>>>>>>>>>> PHP, Java,
>>>>>>>>>>>> and .NET app
>>>>>>>>>>>>> Try New Relic at no cost today and get our
>>>>>>>>>> sweet Data
>>>>>>>>>>>> Nerd shirt too!
>>>>>>>>>>>>> http://p.sf.net/sfu/newrelic-dev2dev
>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>> Go to this URL to change user options or
>>>>>>>>>> unsubscribe:
>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Please visit http://blog.snort.org to stay current on
>>>>>>>>>>>> all the latest Snort news!
>>>>>>>> 
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> Don't let slow site performance ruin your business. Deploy New Relic APM
>>>>>>>> Deploy New Relic app performance management and know exactly
>>>>>>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
>>>>>>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>>>>>>>> http://p.sf.net/sfu/newrelic-dev2dev
>>>>>>>> _______________________________________________
>>>>>>>> Snort-users mailing list
>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>> Snort-users list archive:
>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>> 
>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list