[Snort-users] 403 Error when attempting to pull rules using Pulled-Pork

Joel Esler jesler at ...1935...
Wed Feb 20 09:06:09 EST 2013


Send me your oinkcode off list, and I'll look into your code.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Wednesday, February 20, 2013 at 8:56 AM, Tamara Fisher wrote:

> Thanks for the response Joel. Updated snort_version and reran after timeout expired. Getting same error. 
> 
>     Base URL is: https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<my_oinkcode>
> Checking latest MD5 for snortrules-snapshot-2940.tar.gz....
>     Fetching md5sum for: snortrules-snapshot-2940.tar.gz.md5
> ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz.md5/<my_oinkcode> ==> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read server session ticket A
> SSL_connect:SSLv3 read finished A
> 403 Forbidden
>     A 403 error occurred, please wait for the 15 minute timeout
>     to expire before trying again or specify the -n runtime switch
>     You may also wish to verfiy your oinkcode, tarball name, and other configuration options
>     Error 403 when fetching https://www.snort.org/sub-rules/snortrules-snapshot-2940.tar.gz.md5 at /usr/local/bin/pulledpork.pl (http://pulledpork.pl) line 453
>     main::md5file('<my_oinkcode>', 'snortrules-snapshot-2940.tar.gz', '/tmp/', 'https://www.snort.org/sub-rules/') called at /usr/local/bin/pulledpork.pl (http://pulledpork.pl) line 1758
> 
> 
> On Wed, Feb 20, 2013 at 8:46 AM, Joel Esler <jesler at ...1935... (mailto:jesler at ...1935...)> wrote:
> > Add a 0 to the end of the "294" line.  2940.tar.gz.  It'll work.
> > 
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
> > 
> > 
> > On Wednesday, February 20, 2013 at 8:41 AM, Tamara Fisher wrote:
> > 
> > 
> > 
> > > Hi. 
> > > 
> > > I'm having issues when attempting to fetch subscriber rules and have questions. 
> > > 
> > > I use the following rule path:
> > > 
> > > https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz| (https://www.snort.org/sub-rules/%7Csnortrules-snapshot.tar.gz%7C)<my_oinkcode>
> > > 
> > > but I notice that the GET request that is submitted is:
> > > 
> > > GET https://www.snort.org/reg-rules/snortrules-snapshot-294.tar.gz.md5/<my_oinkcode> ==> SSL_connect:before/connect initialization
> > > 
> > > Is it normal that the rule path shows sub-rules and GET request shows reg-rules? Can anyone see any issues with my config or have any suggestions?
> > > 
> > > I have checked that ca-certificates is installed and updated. I continue to wait 30 minutes between attempts, reconfigs and re-attempts but having same 403 error each time. 
> > > 
> > > Google is no longer helpful. 
> > > 
> > > Any help appreciated.
> > > 
> > > My extra verbose error:
> > > 
> > > Config File Variable Debug /etc/snort/pulledpork.conf
> > >     snort_path = /usr/local/bin/snort
> > >     enablesid = /etc/snort/enablesid.conf
> > >     modifysid = /etc/snort/modifysid.conf
> > >     rule_path = /etc/snort/rules/snort.rules
> > >     ignore = deleted.rules,experimental.rules,local.rules
> > >     rule_url = ARRAY(0x22e5400)
> > >     snort_version = 2.9.4
> > >     sid_changelog = /var/log/sid_changes.log
> > >     sid_msg = /etc/snort/sid-msg.map
> > >     ips_policy = security
> > >     config_path = /etc/snort/snort.conf
> > >     sostub_path = /etc/snort/so_rules
> > >     temp_path = /tmp
> > >     distro = RHEL-6.0
> > >     version = 0.6.0
> > >     sorule_path = /usr/local/lib/snort_dynamicrules/
> > >     disablesid = /etc/snort/disablesid.conf
> > >     local_rules = /etc/snort/rules/local.rules
> > > MISC (CLI and Autovar) Variable Debug:
> > >     arch Def is: x86-64
> > >     Config Path is: /etc/snort/pulledpork.conf
> > >     Distro Def is: RHEL-6.0
> > >     security policy specified
> > >     local.rules path is: /etc/snort/rules/local.rules
> > >     Rules file is: /etc/snort/rules/snort.rules
> > >     Path to disablesid file: /etc/snort/disablesid.conf
> > >     Path to enablesid file: /etc/snort/enablesid.conf
> > >     Path to modifysid file: /etc/snort/modifysid.conf
> > >     sid changes will be logged to: /var/log/sid_changes.log
> > >     sid-msg.map Output Path is: /etc/snort/sid-msg.map
> > >     Snort Version is: 2.9.4
> > >     Snort Config File: /etc/snort/snort.conf
> > >     Snort Path is: /usr/local/bin/snort
> > >     SO Output Path is: /usr/local/lib/snort_dynamicrules/
> > >     SO Stub File is: /etc/snort/so_rules
> > >     Extra Verbose Flag is Set
> > >     Verbose Flag is Set
> > >     Base URL is: https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz| (https://www.snort.org/sub-rules/%7Csnortrules-snapshot.tar.gz%7C)<my_oinkcode>
> > > Checking latest MD5 for snortrules-snapshot-294.tar.gz....
> > >     Fetching md5sum for: snortrules-snapshot-294.tar.gz.md5
> > > ** GET https://www.snort.org/reg-rules/snortrules-snapshot-294.tar.gz.md5/<my_oinkcode> ==> SSL_connect:before/connect initialization
> > > SSL_connect:SSLv2/v3 write client hello A
> > > SSL_connect:SSLv3 read server hello A
> > > SSL_connect:SSLv3 read server certificate A
> > > SSL_connect:SSLv3 read server done A
> > > SSL_connect:SSLv3 write client key exchange A
> > > SSL_connect:SSLv3 write change cipher spec A
> > > SSL_connect:SSLv3 write finished A
> > > SSL_connect:SSLv3 flush data
> > > SSL_connect:SSLv3 read server session ticket A
> > > SSL_connect:SSLv3 read finished A
> > > 403 Forbidden
> > >     A 403 error occurred, please wait for the 15 minute timeout
> > >     to expire before trying again or specify the -n runtime switch
> > >     You may also wish to verfiy your oinkcode, tarball name, and other configuration options
> > >     Error 403 when fetching https://www.snort.org/sub-rules/snortrules-snapshot-294.tar.gz.md5 at /usr/local/bin/pulledpork.pl (http://pulledpork.pl) line 453
> > >     main::md5file('<my_oinkcode>', 'snortrules-snapshot-294.tar.gz', '/tmp/', 'https://www.snort.org/sub-rules/') called at /usr/local/bin/pulledpork.pl (http://pulledpork.pl) line 1758
> > > 
> > > ------------------------------------------------------------------------------
> > > Everyone hates slow websites. So do we.
> > > Make your web apps faster with AppDynamics
> > > Download AppDynamics Lite for free today:
> > > http://p.sf.net/sfu/appdyn_d2d_feb
> > > 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net (mailto:Snort-users at lists.sourceforge.net)
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > 
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news! 
> > 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net (mailto:Snort-users at lists.sourceforge.net)
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news! 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130220/a4870c4c/attachment.html>


More information about the Snort-users mailing list