[Snort-users] 403 Error when attempting to pull rules using Pulled-Pork

Tamara Fisher tammi888 at ...11827...
Wed Feb 20 08:56:21 EST 2013


Thanks for the response Joel. Updated snort_version and reran after timeout
expired. Getting same error.

    Base URL is:
https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode>
Checking latest MD5 for snortrules-snapshot-2940.tar.gz....
    Fetching md5sum for: snortrules-snapshot-2940.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz.md5/<my_oinkcode>
==> SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
403 Forbidden
    A 403 error occurred, please wait for the 15 minute timeout
    to expire before trying again or specify the -n runtime switch
    You may also wish to verfiy your oinkcode, tarball name, and other
configuration options
    Error 403 when fetching
https://www.snort.org/sub-rules/snortrules-snapshot-2940.tar.gz.md5 at
/usr/local/bin/pulledpork.pl line 453
    main::md5file('<my_oinkcode>', 'snortrules-snapshot-2940.tar.gz',
'/tmp/', 'https://www.snort.org/sub-rules/') called at /usr/local/bin/
pulledpork.pl line 1758


On Wed, Feb 20, 2013 at 8:46 AM, Joel Esler <jesler at ...1935...> wrote:

> Add a 0 to the end of the "294" line.  2940.tar.gz.  It'll work.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Wednesday, February 20, 2013 at 8:41 AM, Tamara Fisher wrote:
>
> Hi.
>
> I'm having issues when attempting to fetch subscriber rules and have
> questions.
>
> I use the following rule path:
>
> https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode>
>
> but I notice that the GET request that is submitted is:
>
> GET https://www.snort.org/reg-rules/snortrules-snapshot-294.tar.gz.md5/<my_oinkcode>
> ==> SSL_connect:before/connect initialization
>
> Is it normal that the rule path shows sub-rules and GET request shows
> reg-rules? Can anyone see any issues with my config or have any suggestions?
>
> I have checked that ca-certificates is installed and updated. I continue
> to wait 30 minutes between attempts, reconfigs and re-attempts but having
> same 403 error each time.
>
> Google is no longer helpful.
>
> Any help appreciated.
>
> My extra verbose error:
>
> Config File Variable Debug /etc/snort/pulledpork.conf
>     snort_path = /usr/local/bin/snort
>     enablesid = /etc/snort/enablesid.conf
>     modifysid = /etc/snort/modifysid.conf
>     rule_path = /etc/snort/rules/snort.rules
>     ignore = deleted.rules,experimental.rules,local.rules
>     rule_url = ARRAY(0x22e5400)
>     snort_version = 2.9.4
>     sid_changelog = /var/log/sid_changes.log
>     sid_msg = /etc/snort/sid-msg.map
>     ips_policy = security
>     config_path = /etc/snort/snort.conf
>     sostub_path = /etc/snort/so_rules
>     temp_path = /tmp
>     distro = RHEL-6.0
>     version = 0.6.0
>     sorule_path = /usr/local/lib/snort_dynamicrules/
>     disablesid = /etc/snort/disablesid.conf
>     local_rules = /etc/snort/rules/local.rules
> MISC (CLI and Autovar) Variable Debug:
>     arch Def is: x86-64
>     Config Path is: /etc/snort/pulledpork.conf
>     Distro Def is: RHEL-6.0
>     security policy specified
>     local.rules path is: /etc/snort/rules/local.rules
>     Rules file is: /etc/snort/rules/snort.rules
>     Path to disablesid file: /etc/snort/disablesid.conf
>     Path to enablesid file: /etc/snort/enablesid.conf
>     Path to modifysid file: /etc/snort/modifysid.conf
>     sid changes will be logged to: /var/log/sid_changes.log
>     sid-msg.map Output Path is: /etc/snort/sid-msg.map
>     Snort Version is: 2.9.4
>     Snort Config File: /etc/snort/snort.conf
>     Snort Path is: /usr/local/bin/snort
>     SO Output Path is: /usr/local/lib/snort_dynamicrules/
>     SO Stub File is: /etc/snort/so_rules
>     Extra Verbose Flag is Set
>     Verbose Flag is Set
>     Base URL is:
> https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode>
> Checking latest MD5 for snortrules-snapshot-294.tar.gz....
>     Fetching md5sum for: snortrules-snapshot-294.tar.gz.md5
> ** GET https://www.snort.org/reg-rules/snortrules-snapshot-294.tar.gz.md5/<my_oinkcode>
> ==> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read server session ticket A
> SSL_connect:SSLv3 read finished A
> 403 Forbidden
>     A 403 error occurred, please wait for the 15 minute timeout
>     to expire before trying again or specify the -n runtime switch
>     You may also wish to verfiy your oinkcode, tarball name, and other
> configuration options
>     Error 403 when fetching
> https://www.snort.org/sub-rules/snortrules-snapshot-294.tar.gz.md5 at
> /usr/local/bin/pulledpork.pl line 453
>     main::md5file('<my_oinkcode>', 'snortrules-snapshot-294.tar.gz',
> '/tmp/', 'https://www.snort.org/sub-rules/') called at /usr/local/bin/
> pulledpork.pl line 1758
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130220/6fc76cae/attachment.html>


More information about the Snort-users mailing list