[Snort-users] Snort with PulledPork and Ubuntu 12.04 Server

Doug Burks doug.burks at ...11827...
Thu Jul 24 07:50:57 EDT 2014


Right, did you see this note on the page?


For certain proxies (Bluecoat in particular), you may need to change
from https to http in /etc/nsm/pulledpork/pulledpork.conf. For more
information, please see:

https://code.google.com/p/pulledpork/issues/detail?id=154

https://groups.google.com/d/topic/security-onion-testing/piRYj-7Ar8M/discussion

On Thu, Jul 24, 2014 at 7:33 AM, Christian Gebler
<geblerchristian at ...14012...> wrote:
> thx, but I think my proxy configuration is fine.:) It's something with Perl
> and the HTTPS GET Method.
>
>
> 2014-07-24 13:27 GMT+02:00 Doug Burks <doug.burks at ...11827...>:
>
>> Hi Christian,
>>
>> Here are some settings you might want to try:
>> https://code.google.com/p/security-onion/wiki/Proxy
>>
>> On Thu, Jul 24, 2014 at 3:43 AM, Christian Gebler
>> <geblerchristian at ...14012...> wrote:
>> > I'm using the Ubuntu Server 12.04 standard Repository.
>> >
>> > Perl  5.14.2
>> > libcrypt-ssleay-perl 0.58-1
>> > liblwp-protocol-https-perl 6.04-2
>> >
>> > And yes, there is also a proxy. But the proxy variable http_proxy and
>> > https_proxy is set.
>> >
>> >
>> > 2014-07-23 15:04 GMT+02:00 JJ Cummings (jjcummin) <jjcummin at ...589...>:
>> >>
>> >> A 501 generally means something is not being handled correctly with SSL
>> >> in
>> >> your perl installation.  I would try validating that the following are
>> >> installed and updated:
>> >> Crypt::SSLeay
>> >> LWP::Protocol::https
>> >>
>> >> Also, are you using a proxy?
>> >>
>> >> JJC
>> >>
>> >> On Jul 23, 2014, at 7:55 AM, Joel Esler (jesler) <jesler at ...589...>
>> >> wrote:
>> >>
>> >> CC’ing JJ, as it’s not a Snort.org problem, seems to be a pulledpork
>> >> issue.
>> >>
>> >> On Jul 23, 2014, at 2:03 AM, Christian Gebler
>> >> <geblerchristian at ...14012...> wrote:
>> >>
>> >> manually I can download it
>> >>
>> >>
>> >> 2014-07-22 23:53 GMT+02:00 Joel Esler (jesler) <jesler at ...589...>:
>> >>>
>> >>> Try this:
>> >>>
>> >>>
>> >>>
>> >>> https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=8b46559ee9c2faaa4464a693d2133dff62f3feaf
>> >>>
>> >>>
>> >>>
>> >>> On Jul 22, 2014, at 2:55 AM, Christian Gebler
>> >>> <geblerchristian at ...14012...> wrote:
>> >>>
>> >>> > Ah okay, the email is "itadmin at ...16916..."
>> >>> >
>> >>> >
>> >>> > 2014-07-22 8:41 GMT+02:00 Christian Gebler
>> >>> > <geblerchristian at ...14012...>:
>> >>> > Hi Joel,
>> >>> >
>> >>> > the account is registered under the username "tcs". Now I see we
>> >>> > need
>> >>> > an email address to login on the snort website...that's new?!?
>> >>> > I have a friend in another company, same Ubuntu Server 12.04 version
>> >>> > and same problem....
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > 2014-07-21 19:25 GMT+02:00 Joel Esler (jesler) <jesler at ...589...>:
>> >>> >
>> >>> > So I can view the status of your account to see if it’s a subscriber
>> >>> > problem or a registered problem, and the status of the account.
>> >>> >
>> >>> > --
>> >>> > Joel Esler
>> >>> > Open Source Manager
>> >>> > Threat Intelligence Team Lead
>> >>> > Vulnerability Research Team
>> >>>
>> >>> >
>> >>> > On Jul 21, 2014, at 10:39 AM, Christian Gebler
>> >>> > <geblerchristian at ...14012...> wrote:
>> >>> >
>> >>> >> Hi,
>> >>> >>
>> >>> >> why did you need the oinkcode or the email address for my problem?
>> >>> >> :)
>> >>> >>
>> >>> >> I think it's a problem with the GET Method in Perl with HTTPS. With
>> >>> >> HTTP it worked well, since the snort Page Update last week.
>> >>> >>
>> >>> >>
>> >>> >> 2014-07-21 14:11 GMT+02:00 Joel Esler (jesler) <jesler at ...589...>:
>> >>>
>> >>> >> Can you write me offlist with your oinkcode or email address your
>> >>> >> account is under?
>> >>> >>
>> >>> >> --
>> >>> >> Joel Esler
>> >>> >> Sent from my iPhone
>> >>> >>
>> >>> >> On Jul 21, 2014, at 7:43, "Christian Gebler"
>> >>> >> <geblerchristian at ...14012...> wrote:
>> >>> >>
>> >>> >>> Hi,
>> >>> >>>
>> >>> >>> I'm using Snort 2.9.6.2 with PulledPork 0.7.0 on an Ubuntu Server
>> >>> >>> 12.04 LTS.
>> >>> >>>
>> >>> >>> Since last week it is not possible to download the new VRT Snort
>> >>> >>> 2.9.6.2 Ruleset (now with https):
>> >>> >>>
>> >>> >>> Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
>> >>> >>> Fetching md5sum for: snortrules-snapshot-2962.tar.gz.md5
>> >>> >>> ** GET
>> >>> >>>
>> >>> >>> https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz.md5?oinkcode=<my
>> >>> >>> oinkcode> ==> 501 Not Implemented
>> >>> >>> Error 501 when fetching
>> >>> >>> https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz.md5 at
>> >>> >>> ./pulledpork.pl line 463
>> >>> >>> main::md5file('<oinkcode>', 'snortrules-snapshot-2962.tar.gz',
>> >>> >>> '/etc/snort/rules/tmp/', 'https://www.snort.org/rules/') called at
>> >>> >>> ./pulledpork.pl line 1847
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>> Any suggestions?
>> >>> >>>
>> >>> >>> thx
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>> ------------------------------------------------------------------------------
>> >>> >>> Want fast and easy access to all the code in your enterprise?
>> >>> >>> Index
>> >>> >>> and
>> >>> >>> search up to 200,000 lines of code with a free copy of Black Duck
>> >>> >>> Code Sight - the same software that powers the world's largest
>> >>> >>> code
>> >>> >>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> >>> >>> http://p.sf.net/sfu/bds
>> >>> >>> _______________________________________________
>> >>> >>> Snort-users mailing list
>> >>> >>> Snort-users at lists.sourceforge.net
>> >>> >>> Go to this URL to change user options or unsubscribe:
>> >>> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >>> >>> Snort-users list archive:
>> >>> >>>
>> >>> >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >>> >>>
>> >>> >>> Please visit http://blog.snort.org to stay current on all the
>> >>> >>> latest
>> >>> >>> Snort news!
>> >>> >>
>> >>> >
>> >>> >
>> >>> >
>> >>>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Want fast and easy access to all the code in your enterprise? Index and
>> > search up to 200,000 lines of code with a free copy of Black Duck
>> > Code Sight - the same software that powers the world's largest code
>> > search on Ohloh, the Black Duck Open Hub! Try it now.
>> > http://p.sf.net/sfu/bds
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> > Snort
>> > news!
>>
>>
>>
>> --
>> Doug Burks
>> http://securityonionsolutions.com
>
>



-- 
Doug Burks
http://securityonionsolutions.com




More information about the Snort-users mailing list