[Snort-users] PulledPork Stop working

Joel Esler (jesler) jesler at ...589...
Tue Dec 1 19:13:28 EST 2015

As mentioned earlier in another thread the ruleset for 2980 is not out yet, (should be out probably Thursday), 2976’s rules work fine.

Joel Esler
Manager, Talos Group

On Dec 1, 2015, at 5:37 PM, Rafael Leiva-Ochoa <spawn at ...17369...<mailto:spawn at ...17369...>> wrote:

Hi All,

  I am getting the following error with pulledpork:

Last login: Tue Dec  1 14:14:43 2015 from

[root at ...17370... ~]# pulledpork.pl<http://pulledpork.pl/> -vv -c /etc/snort/pulledpork.conf -l


      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!


     .-~~~~-.Y|\\_<smb://_>  Copyright (C) 2009-2015 JJ Cummings

  @_/        /  66\_  cummingsj at ...11827...<mailto:cummingsj at ...11827...>

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\


Config File Variable Debug /etc/snort/pulledpork.conf

snort_path = /usr/local/bin/snort

enablesid = /etc/snort/enablesid.conf

black_list = /etc/snort/rules/black_list.rules

modifysid = /etc/snort/modifysid.conf

rule_path = /etc/snort/rules/snort.rules

ignore = deleted.rules,experimental.rules,local.rules

snort_control = /usr/local/bin/snort_control

rule_url = ARRAY(0x16a3220)

sid_msg_version = 1

sid_changelog = /var/log/sid_changes.log

sid_msg = /etc/snort/sid-msg.map

backup_file = /tmp/pp_backup

ips_policy = security

config_path = /etc/snort/snort.conf

temp_path = /tmp

distro = Centos-5-4

version = 0.7.2

sorule_path = /usr/local/lib/snort_dynamicrules/

disablesid = /etc/snort/disablesid.conf

dropsid = /etc/snort/dropsid.conf

local_rules = /etc/snort/rules/local.rules

MISC (CLI and Autovar) Variable Debug:

arch Def is: x86-64

Operating System is: linux

CA Certificate File is: OS Default

Config Path is: /etc/snort/pulledpork.conf

Distro Def is: Centos-5-4

security policy specified

local.rules path is: /etc/snort/rules/local.rules

Rules file is: /etc/snort/rules/snort.rules

Path to disablesid file: /etc/snort/disablesid.conf

Path to dropsid file: /etc/snort/dropsid.conf

Path to enablesid file: /etc/snort/enablesid.conf

Path to modifysid file: /etc/snort/modifysid.conf

sid changes will be logged to: /var/log/sid_changes.log

sid-msg.map Output Path is: /etc/snort/sid-msg.map

Snort Version is:

Snort Config File: /etc/snort/snort.conf

Snort Path is: /usr/local/bin/snort

SO Output Path is: /usr/local/lib/snort_dynamicrules/

Will process SO rules

Logging Flag is Set

Extra Verbose Flag is Set

Verbose Flag is Set

File(s) to ignore = deleted.rules,experimental.rules,local.rules

Base URL is: https://www.snort.org/rules/|snortrules-snapshot.tar.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048 https://snort.org/downloads/community/|community-rules.tar.gz|Community http://talosintel.com/feeds/ip-filter.blf|IPBLACKLIST|open https://www.snort.org/rules/|opensource.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048

Checking latest MD5 for snortrules-snapshot-2980.tar.gz....

Fetching md5sum for: snortrules-snapshot-2980.tar.gz.md5

** GET https://www.snort.org/reg-rules/snortrules-snapshot-2980.tar.gz.md5/b26b2f91e7f8ac8a3bf091999b07f9a458e39048 ==> SSL_connect:before/connect initialization

SSL_connect:SSLv2/v3 write client hello A

SSL_connect:SSLv3 read server hello A

SSL_connect:SSLv3 read server certificate A

SSL_connect:SSLv3 read server key exchange A

SSL_connect:SSLv3 read server done A

SSL_connect:SSLv3 write client key exchange A

SSL_connect:SSLv3 write change cipher spec A

SSL_connect:SSLv3 write finished A

SSL_connect:SSLv3 flush data

SSL_connect:SSLv3 read server session ticket A

SSL_connect:SSLv3 read finished A

422 Unprocessable Entity (1s)

Error 422 when fetching https://www.snort.org/rules/snortrules-snapshot-2980.tar.gz.md5 at /usr/local/bin/pulledpork.pl<http://pulledpork.pl/> line 516

main::md5file('b26b2f91e7f8ac8a3bf091999b07f9a458e39048', 'snortrules-snapshot-2980.tar.gz', '/tmp/', 'https://www.snort.org/rules/') called at /usr/local/bin/pulledpork.pl<http://pulledpork.pl/> line 1937

[root at ...17370... ~]#

I looked at the snort archive, and it was an issue before. Any idea how to fix it?



Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151202/7c7ac65b/attachment.html>

More information about the Snort-users mailing list