[Snort-users] PulledPork Stop working

Rafael Leiva-Ochoa spawn at ...17369...
Tue Dec 1 20:59:09 EST 2015


Ok. Thanks for the info.

On Tue, Dec 1, 2015 at 4:42 PM, Shirkdog <shirkdog at ...11827...> wrote:

> Without the version provided for Snort, pulledpork will detect the Snort
> version based on the binary.
> On Dec 1, 2015 7:36 PM, "Rafael Leiva-Ochoa" <spawn at ...17369...> wrote:
>
>> Thanks that's what I thought, but was not 100% Why would pulledpork be
>> pulling that?
>>
>> On Tuesday, December 1, 2015, Joel Esler (jesler) <jesler at ...589...>
>> wrote:
>>
>>> As mentioned earlier in another thread the ruleset for 2980 is not out
>>> yet, (should be out probably Thursday), 2976’s rules work fine.
>>>
>>> --
>>> *Joel Esler*
>>> Manager, Talos Group
>>>
>>>
>>>
>>>
>>> On Dec 1, 2015, at 5:37 PM, Rafael Leiva-Ochoa <spawn at ...17369...>
>>> wrote:
>>>
>>> Hi All,
>>>
>>>   I am getting the following error with pulledpork:
>>>
>>> Last login: Tue Dec  1 14:14:43 2015 from 172.16.1.39
>>>
>>> [root at ...17370... ~]# pulledpork.pl -vv -c /etc/snort/pulledpork.conf
>>> -l
>>>
>>>
>>>     https://github.com/shirkdog/pulledpork
>>>
>>>       _____ ____
>>>
>>>      `----,\    )
>>>
>>>       `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!
>>>
>>>        `--==\\/
>>>
>>>      .-~~~~-.Y|\\_  Copyright (C) 2009-2015 JJ Cummings
>>>
>>>   @_/        /  66\_  cummingsj at ...11827...
>>>
>>>     |    \   \   _(")
>>>
>>>      \   /-| ||'--'  Rules give me wings!
>>>
>>>       \_\  \_\\
>>>
>>>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>>
>>> Config File Variable Debug /etc/snort/pulledpork.conf
>>>
>>> snort_path = /usr/local/bin/snort
>>>
>>> enablesid = /etc/snort/enablesid.conf
>>>
>>> black_list = /etc/snort/rules/black_list.rules
>>>
>>> modifysid = /etc/snort/modifysid.conf
>>>
>>> rule_path = /etc/snort/rules/snort.rules
>>>
>>> ignore = deleted.rules,experimental.rules,local.rules
>>>
>>> snort_control = /usr/local/bin/snort_control
>>>
>>> rule_url = ARRAY(0x16a3220)
>>>
>>> sid_msg_version = 1
>>>
>>> sid_changelog = /var/log/sid_changes.log
>>>
>>> sid_msg = /etc/snort/sid-msg.map
>>>
>>> backup_file = /tmp/pp_backup
>>>
>>> ips_policy = security
>>>
>>> config_path = /etc/snort/snort.conf
>>>
>>> temp_path = /tmp
>>>
>>> distro = Centos-5-4
>>>
>>> version = 0.7.2
>>>
>>> sorule_path = /usr/local/lib/snort_dynamicrules/
>>>
>>> disablesid = /etc/snort/disablesid.conf
>>>
>>> dropsid = /etc/snort/dropsid.conf
>>>
>>> local_rules = /etc/snort/rules/local.rules
>>>
>>> MISC (CLI and Autovar) Variable Debug:
>>>
>>> arch Def is: x86-64
>>>
>>> Operating System is: linux
>>>
>>> CA Certificate File is: OS Default
>>>
>>> Config Path is: /etc/snort/pulledpork.conf
>>>
>>> Distro Def is: Centos-5-4
>>>
>>> security policy specified
>>>
>>> local.rules path is: /etc/snort/rules/local.rules
>>>
>>> Rules file is: /etc/snort/rules/snort.rules
>>>
>>> Path to disablesid file: /etc/snort/disablesid.conf
>>>
>>> Path to dropsid file: /etc/snort/dropsid.conf
>>>
>>> Path to enablesid file: /etc/snort/enablesid.conf
>>>
>>> Path to modifysid file: /etc/snort/modifysid.conf
>>>
>>> sid changes will be logged to: /var/log/sid_changes.log
>>>
>>> sid-msg.map Output Path is: /etc/snort/sid-msg.map
>>>
>>> Snort Version is: 2.9.8.0
>>>
>>> Snort Config File: /etc/snort/snort.conf
>>>
>>> Snort Path is: /usr/local/bin/snort
>>>
>>> SO Output Path is: /usr/local/lib/snort_dynamicrules/
>>>
>>> Will process SO rules
>>>
>>> Logging Flag is Set
>>>
>>> Extra Verbose Flag is Set
>>>
>>> Verbose Flag is Set
>>>
>>> File(s) to ignore = deleted.rules,experimental.rules,local.rules
>>>
>>> Base URL is:
>>> https://www.snort.org/rules/|snortrules-snapshot.tar.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048
>>> https://snort.org/downloads/community/|community-rules.tar.gz|Community
>>> http://talosintel.com/feeds/ip-filter.blf|IPBLACKLIST|open
>>> https://www.snort.org/rules/|opensource.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048
>>>
>>> Checking latest MD5 for snortrules-snapshot-2980.tar.gz....
>>>
>>> Fetching md5sum for: snortrules-snapshot-2980.tar.gz.md5
>>>
>>> ** GET
>>> https://www.snort.org/reg-rules/snortrules-snapshot-2980.tar.gz.md5/b26b2f91e7f8ac8a3bf091999b07f9a458e39048
>>> ==> SSL_connect:before/connect initialization
>>>
>>> SSL_connect:SSLv2/v3 write client hello A
>>>
>>> SSL_connect:SSLv3 read server hello A
>>>
>>> SSL_connect:SSLv3 read server certificate A
>>>
>>> SSL_connect:SSLv3 read server key exchange A
>>>
>>> SSL_connect:SSLv3 read server done A
>>>
>>> SSL_connect:SSLv3 write client key exchange A
>>>
>>> SSL_connect:SSLv3 write change cipher spec A
>>>
>>> SSL_connect:SSLv3 write finished A
>>>
>>> SSL_connect:SSLv3 flush data
>>>
>>> SSL_connect:SSLv3 read server session ticket A
>>>
>>> SSL_connect:SSLv3 read finished A
>>>
>>> 422 Unprocessable Entity (1s)
>>>
>>> Error 422 when fetching
>>> https://www.snort.org/rules/snortrules-snapshot-2980.tar.gz.md5 at
>>> /usr/local/bin/pulledpork.pl line 516
>>>
>>> main::md5file('b26b2f91e7f8ac8a3bf091999b07f9a458e39048',
>>> 'snortrules-snapshot-2980.tar.gz', '/tmp/', '
>>> https://www.snort.org/rules/') called at /usr/local/bin/pulledpork.pl
>>> line 1937
>>>
>>> [root at ...17370... ~]#
>>>
>>>
>>> I looked at the snort archive, and it was an issue before. Any idea how
>>> to fix it?
>>>
>>> Thanks,
>>>
>>> Rafael
>>>
>>> ------------------------------------------------------------------------------
>>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>>> Give your users amazing mobile app experiences with Intel(R) XDK.
>>> Use one codebase in this all-in-one HTML5 development environment.
>>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>>> OSs.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>> OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151201/fddb8a22/attachment.html>


More information about the Snort-users mailing list