Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] PulledPork error 422 when fetching ruleset

327 views
Skip to first unread message

Chris Odd

unread,
Nov 16, 2015, 3:53:58 PM11/16/15
to
Hi, I received the notice from Joel a few weeks ago indicating that I was attempting to download an outdated Snort ruleset (2.9.7.0).

I had a look at my config today; when I run pulled pork, here’s the result (I’ve manually replaced my oinkcode with <oinkcode>):

Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 482.
main::md5file(‘<oinkcode>', 'snortrules-snapshot-2970.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/local/bin/pulledpork.pl line 1875

However, my pulledpork config does not reference that rules tarball, here’s how my rules are defined in pulledpork.conf:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open-nogpl

Which matches what it should be, according to https://www.snort.org/oinkcodes


Any ideas on what I should be changing?

Thanks


------------------------------------------------------------------------------
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Joel Esler (jesler)

unread,
Nov 16, 2015, 4:01:58 PM11/16/15
to
The version Snort needs to be updated.  PulledPork figures out what version of Snort you have installed, and then pulls the corresponding ruleset.

--
Joel Esler
Manager, Talos Group
Sent from my iPad

Orion Christopher

unread,
Nov 16, 2015, 9:02:06 PM11/16/15
to
I'm getting a similar error with PulledPork, error 404.  I recently updated to the new version of snort, so decided to build from scratch following the directions on the snort site.

Made these changes to pulledpork.conf:
Line 19 & 26: enter your oinkcode
Line 27 & 30: leave alone (un-commented) to use the Emerging Threats rule set
 
Line 72: change to: rule_path=/etc/snort/rules/snort.rules
Line 87: change to: local_rules=/etc/snort/rules/local.rules
Line 90: change to: sid_msg=/etc/snort/sid-msg.map
Line 117: change to: config_path=/etc/snort/snort.conf
 
Line 131: change to: distro=Ubuntu-10-4
 
Line 139: change to: black_list=/etc/snort/rules/iplists/default.blacklist
Line 148: change to: IPRVersion=/etc/snort/rules/iplists
 
Line 194: Uncomment and change to: enablesid=/etc/snort/enablesid.conf
Line 195: Uncomment and change to: dropsid=/etc/snort/dropsid.conf
Line 196: Uncomment and change to: disablesid=/etc/snort/disablesid.conf
Line 197: Uncomment and change to: modifysid=/etc/snort/modifysid.conf

Here is the error:

Checking latest MD5 for snortrules-snapshot-2976.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
A 404 error occurred, please verify your filenames and urls for your tarball!
main::md5file('Community', 'community-rules.tar.gz', '/tmp/', 'https://s3.amazonaws.com/snort-org/www/rules/community/') called at /usr/local/bin/pulledpork.pl line 1847

wkit...@windstream.net

unread,
Nov 17, 2015, 12:11:24 AM11/17/15
to
On 11/16/2015 03:22 PM, Chris Odd wrote:
> Any ideas on what I should be changing?

yeah, you need to update your snort to a supported version that is newer than
that 2.9.7.0 you are running... you could go back to 2.9.6.2 or up to 2.9.7.5 or
2.9.7.6...

check the EoL page for more information...

https://www.snort.org/eol

note that 2.9.7.5 will EoL 2015 Dec 29th...

--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.

------------------------------------------------------------------------------

wkit...@windstream.net

unread,
Nov 17, 2015, 12:18:51 AM11/17/15
to
On 11/16/2015 08:59 PM, Orion Christopher wrote:
> I'm getting a similar error with PulledPork, error 404.

yes, it is a similar error but it is not the same... in your case, you are
trying to pull the community rules from a non-existent place... this exact
problem was covered on 2015 Oct 29 in a topic on this list as well as being
covered in a blog posting by joel...

http://blog.snort.org/2015/10/are-you-getting-404-errors-attempting.html
0 new messages