<div dir="ltr">Ok. Thanks for the info.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 1, 2015 at 4:42 PM, Shirkdog <span dir="ltr"><<a href="mailto:shirkdog@...11827..." target="_blank">shirkdog@...11827...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Without the version provided for Snort, pulledpork will detect the Snort version based on the binary.</p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On Dec 1, 2015 7:36 PM, "Rafael Leiva-Ochoa" <<a href="mailto:spawn@...17369..." target="_blank">spawn@...979...17369...</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks that's what I thought, but was not 100% Why would pulledpork be pulling that?<span></span><br><br>On Tuesday, December 1, 2015, Joel Esler (jesler) <<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="word-wrap:break-word">
As mentioned earlier in another thread the ruleset for 2980 is not out yet, (should be out probably Thursday), 2976’s rules work fine.
<div><br>
<div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="margin:0px;line-height:normal;font-family:'Lucida Grande'">
--</div>
<div style="margin:0px;line-height:normal;font-family:'Lucida Grande'">
<b>Joel Esler</b></div>
<div style="margin:0px;line-height:normal;font-family:'Lucida Grande'">
Manager, Talos Group</div>
<div style="margin:0px;line-height:normal;font-family:'Helvetica Neue'">
<br>
</div>
</div>
</div>
<br>
<br>
</div>
<br>
<div>
<blockquote type="cite">
<div>On Dec 1, 2015, at 5:37 PM, Rafael Leiva-Ochoa <<a>spawn@...17385....</a>> wrote:</div>
<br>
<div>
<div dir="ltr">Hi All,
<div><br>
</div>
<div>  I am getting the following error with pulledpork:</div>
<div><br>
</div>
<div>
<p><span>Last login: Tue Dec  1 14:14:43 2015 from 172.16.1.39</span></p>
<p><span>[root@...17370... ~]# <a href="http://pulledpork.pl/" target="_blank">
pulledpork.pl</a> -vv -c /etc/snort/pulledpork.conf -l</span></p>
<div><span> </span><br>
</div>
<p><span>    <a href="https://github.com/shirkdog/pulledpork" target="_blank">
https://github.com/shirkdog/pulledpork</a></span></p>
<p><span>      _____ ____</span></p>
<p><span>     `----,\    )</span></p>
<p><span>      `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!</span></p>
<p><span>       `--==\\/</span></p>
<p><span>     .-~~~~-.Y|<a>\\_</a>  Copyright (C) 2009-2015 JJ Cummings</span></p>
<p><span>  @_/        /  66\_  <a>
cummingsj@...11827...</a></span></p>
<p><span>    |    \   \   _(")</span></p>
<p><span>     \   /-| ||'--'  Rules give me wings!</span></p>
<p><span>      \_\  \_\\</span></p>
<p><span> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span></p>
<p><span></span><br>
</p>
<p><span>Config File Variable Debug /etc/snort/pulledpork.conf</span></p>
<p><span><span></span>snort_path = /usr/local/bin/snort</span></p>
<p><span><span></span>enablesid = /etc/snort/enablesid.conf</span></p>
<p><span><span></span>black_list = /etc/snort/rules/black_list.rules</span></p>
<p><span><span></span>modifysid = /etc/snort/modifysid.conf</span></p>
<p><span><span></span>rule_path = /etc/snort/rules/snort.rules</span></p>
<p><span><span></span>ignore = deleted.rules,experimental.rules,local.rules</span></p>
<p><span><span></span>snort_control = /usr/local/bin/snort_control</span></p>
<p><span><span></span>rule_url = ARRAY(0x16a3220)</span></p>
<p><span><span></span>sid_msg_version = 1</span></p>
<p><span><span></span>sid_changelog = /var/log/sid_changes.log</span></p>
<p><span><span></span>sid_msg = /etc/snort/sid-msg.map</span></p>
<p><span><span></span>backup_file = /tmp/pp_backup</span></p>
<p><span><span></span>ips_policy = security</span></p>
<p><span><span></span>config_path = /etc/snort/snort.conf</span></p>
<p><span><span></span>temp_path = /tmp</span></p>
<p><span><span></span>distro = Centos-5-4</span></p>
<p><span><span></span>version = 0.7.2</span></p>
<p><span><span></span>sorule_path = /usr/local/lib/snort_dynamicrules/</span></p>
<p><span><span></span>disablesid = /etc/snort/disablesid.conf</span></p>
<p><span><span></span>dropsid = /etc/snort/dropsid.conf</span></p>
<p><span><span></span>local_rules = /etc/snort/rules/local.rules</span></p>
<p><span>MISC (CLI and Autovar) Variable Debug:</span></p>
<p><span><span></span>arch Def is: x86-64</span></p>
<p><span><span></span>Operating System is: linux</span></p>
<p><span><span></span>CA Certificate File is: OS Default</span></p>
<p><span><span></span>Config Path is: /etc/snort/pulledpork.conf</span></p>
<p><span><span></span>Distro Def is: Centos-5-4</span></p>
<p><span><span></span>security policy specified</span></p>
<p><span><span></span>local.rules path is: /etc/snort/rules/local.rules</span></p>
<p><span><span></span>Rules file is: /etc/snort/rules/snort.rules</span></p>
<p><span><span></span>Path to disablesid file: /etc/snort/disablesid.conf</span></p>
<p><span><span></span>Path to dropsid file: /etc/snort/dropsid.conf</span></p>
<p><span><span></span>Path to enablesid file: /etc/snort/enablesid.conf</span></p>
<p><span><span></span>Path to modifysid file: /etc/snort/modifysid.conf</span></p>
<p><span><span></span>sid changes will be logged to: /var/log/sid_changes.log</span></p>
<p><span><span></span>sid-msg.map Output Path is: /etc/snort/sid-msg.map</span></p>
<p><span><span></span>Snort Version is: 2.9.8.0</span></p>
<p><span><span></span>Snort Config File: /etc/snort/snort.conf</span></p>
<p><span><span></span>Snort Path is: /usr/local/bin/snort</span></p>
<p><span><span></span>SO Output Path is: /usr/local/lib/snort_dynamicrules/</span></p>
<p><span><span></span>Will process SO rules</span></p>
<p><span><span></span>Logging Flag is Set</span></p>
<p><span><span></span>Extra Verbose Flag is Set</span></p>
<p><span><span></span>Verbose Flag is Set</span></p>
<p><span><span></span>File(s) to ignore = deleted.rules,experimental.rules,local.rules</span></p>
<p><span><span></span>Base URL is: <a href="https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7Cb26b2f91e7f8ac8a3bf091999b07f9a458e39048" target="_blank">
https://www.snort.org/rules/|snortrules-snapshot.tar.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048</a>
<a href="https://snort.org/downloads/community/%7Ccommunity-rules.tar.gz%7CCommunity" target="_blank">
https://snort.org/downloads/community/|community-rules.tar.gz|Community</a> <a href="http://talosintel.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen" target="_blank">
http://talosintel.com/feeds/ip-filter.blf|IPBLACKLIST|open</a> <a href="https://www.snort.org/rules/%7Copensource.gz%7Cb26b2f91e7f8ac8a3bf091999b07f9a458e39048" target="_blank">
https://www.snort.org/rules/|opensource.gz|b26b2f91e7f8ac8a3bf091999b07f9a458e39048</a></span></p>
<p><span>Checking latest MD5 for snortrules-snapshot-2980.tar.gz....</span></p>
<p><span><span></span>Fetching md5sum for: snortrules-snapshot-2980.tar.gz.md5</span></p>
<p><span>** GET <a href="https://www.snort.org/reg-rules/snortrules-snapshot-2980.tar.gz.md5/b26b2f91e7f8ac8a3bf091999b07f9a458e39048" target="_blank">
https://www.snort.org/reg-rules/snortrules-snapshot-2980.tar.gz.md5/b26b2f91e7f8ac8a3bf091999b07f9a458e39048</a> ==> SSL_connect:before/connect initialization</span></p>
<p><span>SSL_connect:SSLv2/v3 write client hello A</span></p>
<p><span>SSL_connect:SSLv3 read server hello A</span></p>
<p><span>SSL_connect:SSLv3 read server certificate A</span></p>
<p><span>SSL_connect:SSLv3 read server key exchange A</span></p>
<p><span>SSL_connect:SSLv3 read server done A</span></p>
<p><span>SSL_connect:SSLv3 write client key exchange A</span></p>
<p><span>SSL_connect:SSLv3 write change cipher spec A</span></p>
<p><span>SSL_connect:SSLv3 write finished A</span></p>
<p><span>SSL_connect:SSLv3 flush data</span></p>
<p><span>SSL_connect:SSLv3 read server session ticket A</span></p>
<p><span>SSL_connect:SSLv3 read finished A</span></p>
<p><span>422 Unprocessable Entity (1s)</span></p>
<p><span><span></span>Error 422 when fetching <a href="https://www.snort.org/rules/snortrules-snapshot-2980.tar.gz.md5" target="_blank">
https://www.snort.org/rules/snortrules-snapshot-2980.tar.gz.md5</a> at /usr/local/bin/<a href="http://pulledpork.pl/" target="_blank">pulledpork.pl</a> line 516</span></p>
<p><span><span></span>main::md5file('b26b2f91e7f8ac8a3bf091999b07f9a458e39048', 'snortrules-snapshot-2980.tar.gz', '/tmp/', '<a href="https://www.snort.org/rules/" target="_blank">https://www.snort.org/rules/</a>') called at /usr/local/bin/<a href="http://pulledpork.pl/" target="_blank">pulledpork.pl</a>
 line 1937</span></p>
<p><span>[root@...17370... ~]# </span></p>
<p><br>
</p>
<p>I looked at the snort archive, and it was an issue before. Any idea how to fix it?</p>
<p>Thanks,</p>
<p>Rafael</p>
</div>
</div>
------------------------------------------------------------------------------<br>
Go from Idea to Many App Stores Faster with Intel(R) XDK<br>
Give your users amazing mobile app experiences with Intel(R) XDK.<br>
Use one codebase in this all-in-one HTML5 development environment.<br>
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________</a><br>
Snort-users mailing list<br>
<a>Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</div>
</blockquote>
</div>
<br>
</div>
</div>

</blockquote>
<br>------------------------------------------------------------------------------<br>
Go from Idea to Many App Stores Faster with Intel(R) XDK<br>
Give your users amazing mobile app experiences with Intel(R) XDK.<br>
Use one codebase in this all-in-one HTML5 development environment.<br>
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140" rel="noreferrer" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140</a><br>_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br></blockquote></div>
</div></div></blockquote></div><br></div>