[Snort-users] PulledPork Stop working

Rafael Leiva-Ochoa spawn at ...17369...
Tue Dec 1 19:32:35 EST 2015


Thanks that's what I thought, but was not 100% Why would pulledpork be
pulling that?

On Tuesday, December 1, 2015, Joel Esler (jesler) <jesler at ...589...> wrote:

> As mentioned earlier in another thread the ruleset for 2980 is not out
> yet, (should be out probably Thursday), 2976’s rules work fine.
>
> --
> *Joel Esler*
> Manager, Talos Group
>
>
>
>
> On Dec 1, 2015, at 5:37 PM, Rafael Leiva-Ochoa <spawn at ...17369...
> <javascript:_e(%7B%7D,'cvml','spawn at ...17369...');>> wrote:
>
> Hi All,
>
>   I am getting the following error with pulledpork:
>
> Last login: Tue Dec  1 14:14:43 2015 from 172.16.1.39
>
> [root at ...17370... ~]# pulledpork.pl -vv -c /etc/snort/pulledpork.conf -l
>
>
>     https://github.com/shirkdog/pulledpork
>
>       _____ ____
>
>      `----,\    )
>
>       `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!
>
>        `--==\\/
>
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2015 JJ Cummings
>
>   @_/        /  66\_  cummingsj at ...11827...
> <javascript:_e(%7B%7D,'cvml','cummingsj at ...11827...');>
>
>     |    \   \   _(")
>
>      \   /-| ||'--'  Rules give me wings!
>
>       \_\  \_\\
>
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> Config File Variable Debug /etc/snort/pulledpork.conf
>
> snort_path = /usr/local/bin/snort
>
> enablesid = /etc/snort/enablesid.conf
>
> black_list = /etc/snort/rules/black_list.rules
>
> modifysid = /etc/snort/modifysid.conf
>
> rule_path = /etc/snort/rules/snort.rules
>
> ignore = deleted.rules,experimental.rules,local.rules
>
> snort_control = /usr/local/bin/snort_control
>
> rule_url = ARRAY(0x16a3220)
>
> sid_msg_version = 1
>
> sid_changelog = /var/log/sid_changes.log
>
> sid_msg = /etc/snort/sid-msg.map
>
> backup_file = /tmp/pp_backup
>
> ips_policy = security
>
> config_path = /etc/snort/snort.conf
>
> temp_path = /tmp
>
> distro = Centos-5-4
>
> version = 0.7.2
>
> sorule_path = /usr/local/lib/snort_dynamicrules/
>
> disablesid = /etc/snort/disablesid.conf
>
> dropsid = /etc/snort/dropsid.conf
>
> local_rules = /etc/snort/rules/local.rules
>
> MISC (CLI and Autovar) Variable Debug:
>
> arch Def is: x86-64
>
> Operating System is: linux
>
> CA Certificate File is: OS Default
>
> Config Path is: /etc/snort/pulledpork.conf
>
> Distro Def is: Centos-5-4
>
> security policy specified
>
> local.rules path is: /etc/snort/rules/local.rules
>
> Rules file is: /etc/snort/rules/snort.rules
>
> Path to disablesid file: /etc/snort/disablesid.conf
>
> Path to dropsid file: /etc/snort/dropsid.conf
>
> Path to enablesid file: /etc/snort/enablesid.conf
>
> Path to modifysid file: /etc/snort/modifysid.conf
>
> sid changes will be logged to: /var/log/sid_changes.log
>
> sid-msg.map Output Path is: /etc/snort/sid-msg.map
>
> Snort Version is: 2.9.8.0
>
> Snort Config File: /etc/snort/snort.conf
>
> Snort Path is: /usr/local/bin/snort
>
> SO Output Path is: /usr/local/lib/snort_dynamicrules/
>
> Will process SO rules
>
> Logging Flag is Set
>
> Extra Verbose Flag is Set
>
> Verbose Flag is Set
>
> File(s) to ignore = deleted.rules,experimental.rules,local.rules
>
> Base URL is:
> https://www.snort.org/rules/|snortrules-snapshot.tar.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048
> https://snort.org/downloads/community/|community-rules.tar.gz|Community
> http://talosintel.com/feeds/ip-filter.blf|IPBLACKLIST|open
> https://www.snort.org/rules/|opensource.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048
>
> Checking latest MD5 for snortrules-snapshot-2980.tar.gz....
>
> Fetching md5sum for: snortrules-snapshot-2980.tar.gz.md5
>
> ** GET
> https://www.snort.org/reg-rules/snortrules-snapshot-2980.tar.gz.md5/b26b2f91e7f8ac8a3bf091999b07f9a458e39048
> ==> SSL_connect:before/connect initialization
>
> SSL_connect:SSLv2/v3 write client hello A
>
> SSL_connect:SSLv3 read server hello A
>
> SSL_connect:SSLv3 read server certificate A
>
> SSL_connect:SSLv3 read server key exchange A
>
> SSL_connect:SSLv3 read server done A
>
> SSL_connect:SSLv3 write client key exchange A
>
> SSL_connect:SSLv3 write change cipher spec A
>
> SSL_connect:SSLv3 write finished A
>
> SSL_connect:SSLv3 flush data
>
> SSL_connect:SSLv3 read server session ticket A
>
> SSL_connect:SSLv3 read finished A
>
> 422 Unprocessable Entity (1s)
>
> Error 422 when fetching
> https://www.snort.org/rules/snortrules-snapshot-2980.tar.gz.md5 at
> /usr/local/bin/pulledpork.pl line 516
>
> main::md5file('b26b2f91e7f8ac8a3bf091999b07f9a458e39048',
> 'snortrules-snapshot-2980.tar.gz', '/tmp/', 'https://www.snort.org/rules/')
> called at /usr/local/bin/pulledpork.pl line 1937
>
> [root at ...17370... ~]#
>
>
> I looked at the snort archive, and it was an issue before. Any idea how to
> fix it?
>
> Thanks,
>
> Rafael
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> <javascript:_e(%7B%7D,'cvml','Snort-users at lists.sourceforge.net');>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151201/86b22c22/attachment.html>


More information about the Snort-users mailing list