Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] Extracting snortrules-2931.tar.gz
778 views
Skip to first unread message
Akinwale Fasuru
Oct 9, 2012, 12:29:52 PM10/9/12
to
Hello everyone,
I am still having problems extracting snortrules-2931.tar.gz
tar -xzvf snortrules-2931.tar.gz
> I get this erro message
>
> zip: stdin: not in gzip format
>
> tar: Child returned status 1
>
> tar: Error is not recoverable: exiting now
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
I am still having problems extracting snortrules-2931.tar.gz
tar -xzvf snortrules-2931.tar.gz
> I get this erro message
>
> zip: stdin: not in gzip format
>
> tar: Child returned status 1
>
> tar: Error is not recoverable: exiting now
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jeremy Hoel
Oct 9, 2012, 12:46:26 PM10/9/12
to
You never got back to me about the size of the file and if the file
was complete.
the error makes it sound like it's not a tar.gz file.
you need to very you got the whole file and that it's not just a text error.
run 'file snortrules-2931.tar.gz' and see what it says.
was complete.
the error makes it sound like it's not a tar.gz file.
you need to very you got the whole file and that it's not just a text error.
run 'file snortrules-2931.tar.gz' and see what it says.
Jeremy Hoel
Oct 9, 2012, 12:53:39 PM10/9/12
to
to check the size of a file, go to the directory where the file is and
run 'ls -al'.
But since 'file' said it's text and not a tar.gz or zip file, then
that's the problem. Your download is not correct.
go ahead and run 'cat snortrules-2931.tar.gz'
On Tue, Oct 9, 2012 at 4:50 PM, Akinwale Fasuru <fashm...@yahoo.com> wrote:
> I replied the email you sent earlier saying that i didnt know how to check for te size of the file. But i did rule the command u asked me here is the response
>
> snortrules-2931.tar.gz: ASCII text
>
>
> --- On Tue, 10/9/12, Jeremy Hoel <jth...@gmail.com> wrote:
run 'ls -al'.
But since 'file' said it's text and not a tar.gz or zip file, then
that's the problem. Your download is not correct.
go ahead and run 'cat snortrules-2931.tar.gz'
On Tue, Oct 9, 2012 at 4:50 PM, Akinwale Fasuru <fashm...@yahoo.com> wrote:
> I replied the email you sent earlier saying that i didnt know how to check for te size of the file. But i did rule the command u asked me here is the response
>
> snortrules-2931.tar.gz: ASCII text
>
>
> --- On Tue, 10/9/12, Jeremy Hoel <jth...@gmail.com> wrote:
Jeremy Hoel
Oct 9, 2012, 1:12:13 PM10/9/12
to
The answer is in the text file that you sent back.
2012-10-04 14:07:24 ERROR 403: Forbidden.
so however you tried to get the file, it didn't work. If you used
wget and an oink code then you need to check the code.
On Tue, Oct 9, 2012 at 4:59 PM, Akinwale Fasuru <fashm...@yahoo.com> wrote:
> Here is what i gath after running cat....
>
> --2012-10-04 14:07:23-- http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/3b6de1b425e1a20c6f85e705f3631bc958ad11db
> Resolving www.snort.org... 23.23.170.170
> Connecting to www.snort.org|23.23.170.170|:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 2012-10-04 14:07:24 ERROR 403: Forbidden.
>
>
> What do u think?
2012-10-04 14:07:24 ERROR 403: Forbidden.
so however you tried to get the file, it didn't work. If you used
wget and an oink code then you need to check the code.
On Tue, Oct 9, 2012 at 4:59 PM, Akinwale Fasuru <fashm...@yahoo.com> wrote:
> Here is what i gath after running cat....
>
> --2012-10-04 14:07:23-- http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/3b6de1b425e1a20c6f85e705f3631bc958ad11db
> Resolving www.snort.org... 23.23.170.170
> Connecting to www.snort.org|23.23.170.170|:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 2012-10-04 14:07:24 ERROR 403: Forbidden.
>
>
> What do u think?
AllowOverride
Oct 9, 2012, 3:12:01 PM10/9/12
to
jer,
i tried the preferred method displayed on oinkcode page.
it doesnt work for sub/reg unless you know to put 2931. also, other
methods of wget'ing the url according to docs are supposed to work but
do not, unless know the exact file name, and thats not always easy to
find on the ftp site, or by other methods.
just a heads up, that kept me off task for a few days trying to figure
it out.
suggestion... fix the examples on the oinkcode page.
i tried the preferred method displayed on oinkcode page.
it doesnt work for sub/reg unless you know to put 2931. also, other
methods of wget'ing the url according to docs are supposed to work but
do not, unless know the exact file name, and thats not always easy to
find on the ftp site, or by other methods.
just a heads up, that kept me off task for a few days trying to figure
it out.
suggestion... fix the examples on the oinkcode page.
Jeremy Hoel
Oct 9, 2012, 3:19:51 PM10/9/12
to
The link he was using worked fine for me. I tested the get and got the
rules with no no problem.. with the link he had. His problem is not
related to a bad link.
The examples show that you need a file name
(http://snort.org/snort-rules/cli) and when you go to the page before,
the main download page (http://snort.org/snort-rules/?), it shows the
file names. They are not trying to make this overly confusing and
hard.. but it does require some effort and understanding on the
installers part. Or, you could sign in and grab them from the gui, or
use pullpork. 3 different methods to get the rules..
The examples are generic enough that they don't have to change
whenever the rule file changes. Lets let the developers work on
keeping the software fixed and nor worry about the web page not having
the most specific instructions.
rules with no no problem.. with the link he had. His problem is not
related to a bad link.
The examples show that you need a file name
(http://snort.org/snort-rules/cli) and when you go to the page before,
the main download page (http://snort.org/snort-rules/?), it shows the
file names. They are not trying to make this overly confusing and
hard.. but it does require some effort and understanding on the
installers part. Or, you could sign in and grab them from the gui, or
use pullpork. 3 different methods to get the rules..
The examples are generic enough that they don't have to change
whenever the rule file changes. Lets let the developers work on
keeping the software fixed and nor worry about the web page not having
the most specific instructions.
AllowOverride
Oct 9, 2012, 3:51:48 PM10/9/12
to
when i say something doesnt work, i mean, it doesnt work:
wget
http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry--2012-10-09 12:44:42-- http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry
wget
http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
--2012-10-09 12:45:54--
http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
Resolving www.snort.org... 23.23.143.143
Connecting to www.snort.org|23.23.143.143|:80... connected.
and just for good measure
wget
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/sorry-hidden
--2012-10-09 12:47:03--
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/hidden-again
now. the last one shouldn't work, becuz im not a register user
the sub rules works if you know what you are doing...
If you include 2931 inplace of 2900 it will work, only if you are in the
system for oinkcode. BUT, that is not what is autopopulated for you on
the oinkcode page. it says, 2900. it wont work.
all i am saying fix is, change it to reflect the CURRENT version. thats
all. not everyone will catch it, and ya know, end up asking the question
here.
let's let the developers put the current version as well. takes what, 2
seconds and saves users HOURS of wtf.. headaches...
thanks
wget
http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry--2012-10-09 12:44:42-- http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden-sorry
Resolving www.snort.org... 23.23.170.170
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2012-10-09 12:44:42 ERROR 403: Forbidden.
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
wget
http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
--2012-10-09 12:45:54--
http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/sorry-hidden
Resolving www.snort.org... 23.23.143.143
Connecting to www.snort.org|23.23.143.143|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2012-10-09 12:45:56 ERROR 403: Forbidden.
and just for good measure
wget
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/sorry-hidden
--2012-10-09 12:47:03--
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/hidden-again
Resolving www.snort.org... 23.23.170.170
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2012-10-09 12:47:04 ERROR 403: Forbidden.
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
now. the last one shouldn't work, becuz im not a register user
the sub rules works if you know what you are doing...
If you include 2931 inplace of 2900 it will work, only if you are in the
system for oinkcode. BUT, that is not what is autopopulated for you on
the oinkcode page. it says, 2900. it wont work.
all i am saying fix is, change it to reflect the CURRENT version. thats
all. not everyone will catch it, and ya know, end up asking the question
here.
let's let the developers put the current version as well. takes what, 2
seconds and saves users HOURS of wtf.. headaches...
thanks
Jeremy Hoel
Oct 9, 2012, 4:02:51 PM10/9/12
to
The page shows:
wget http://www.snort.org/sub-rules/<filename>/<oinkcode here> \
-O <output-filename>
It's pretty clear. put the proper, correct, current filename where is
says filename and things work. They shouldn't have to hold hands and
walk through the whole thing.
When you try and use examples you have to expect and realize that the
example might be out of date and maybe try and figure out what it
might take to make it work.
wget http://www.snort.org/sub-rules/<filename>/<oinkcode here> \
-O <output-filename>
It's pretty clear. put the proper, correct, current filename where is
says filename and things work. They shouldn't have to hold hands and
walk through the whole thing.
When you try and use examples you have to expect and realize that the
example might be out of date and maybe try and figure out what it
might take to make it work.
AllowOverride
Oct 9, 2012, 4:16:15 PM10/9/12
to
we dont know the file name!!! sheshh
Jeremy Hoel
Oct 9, 2012, 4:17:57 PM10/9/12
to
And like i said in the email before you responded, you can find the
file name right from the website.. when you click download rules.
http://snort.org/snort-rules/?
Snort v2.9
MD5 - 09 Oct, 2012
snortrules-snapshot-2931.tar.gz
MD5 - 09 Oct, 2012
snortrules-snapshot-2912.tar.gz
MD5 - 09 Oct, 2012
snortrules-snapshot-2923.tar.gz
MD5 - 09 Oct, 2012
snortrules-snapshot-2930.tar.gz
It's right there.. you just have to look at the page. Reading is fundamental.
file name right from the website.. when you click download rules.
http://snort.org/snort-rules/?
Snort v2.9
MD5 - 09 Oct, 2012
snortrules-snapshot-2931.tar.gz
MD5 - 09 Oct, 2012
snortrules-snapshot-2912.tar.gz
MD5 - 09 Oct, 2012
snortrules-snapshot-2923.tar.gz
MD5 - 09 Oct, 2012
snortrules-snapshot-2930.tar.gz
It's right there.. you just have to look at the page. Reading is fundamental.
Peter Bates
Oct 9, 2012, 4:28:02 PM10/9/12
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all
On 09/10/2012 21:02, Jeremy Hoel wrote:
> When you try and use examples you have to expect and realize that
> the example might be out of date and maybe try and figure out what
> it might take to make it work.
I can see both sides of the argument here - I do side with encouraging
people to solve their own problems but in the case of
http://snort.org/snort-rules/cli
there's no real reason for it reflecting out of date information
or for not offering a better example of how to construct 'filename'
A wider issue is that if the Snort source tarball contained some
example rules (or a sample local.rules and then commented out all the
others included by default) it might be easier for the beginner.
But then of course, there's Pulledpork and SecurityOnion,
and if IT was easy then I'd be out of a job.
- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQEcBAEBAgAGBQJQdIjSAAoJELhVoVpEMS6R2qgH/jB1ST78+DE5WPc7pfl8eyTp
DXPCNImg+b6E8znDcVsuriYM/bPd38rlnALykuXwhkcnepDdSV2MN2GGQDrkS9sB
/+DEhQBUCnNdL3Sr5fBh9wgstyMH3eck1x9HuZZt1/xkaKHyLsxhTs/lM25CsXbu
Ys14uEhXJdnof/7KhgBJpRNsydL9Ct3CDWg8n+67E1Cdn9niA+9AymtBm6H/jPre
v8TcI7+asnc4vsv6HuuTHXhrOWjfuMTpJegXGRWkHy7+PjcEtRNjjwZ98kKBlczR
O7DOTaOMoLuHbkTn9eqlslaQPwjcPDDHGs6efqk8NHPdRzOY1qh1JCaRN6wJjvY=
=bTaV
-----END PGP SIGNATURE-----
Hash: SHA1
Hello all
On 09/10/2012 21:02, Jeremy Hoel wrote:
> When you try and use examples you have to expect and realize that
> the example might be out of date and maybe try and figure out what
> it might take to make it work.
people to solve their own problems but in the case of
http://snort.org/snort-rules/cli
there's no real reason for it reflecting out of date information
or for not offering a better example of how to construct 'filename'
A wider issue is that if the Snort source tarball contained some
example rules (or a sample local.rules and then commented out all the
others included by default) it might be easier for the beginner.
But then of course, there's Pulledpork and SecurityOnion,
and if IT was easy then I'd be out of a job.
- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQEcBAEBAgAGBQJQdIjSAAoJELhVoVpEMS6R2qgH/jB1ST78+DE5WPc7pfl8eyTp
DXPCNImg+b6E8znDcVsuriYM/bPd38rlnALykuXwhkcnepDdSV2MN2GGQDrkS9sB
/+DEhQBUCnNdL3Sr5fBh9wgstyMH3eck1x9HuZZt1/xkaKHyLsxhTs/lM25CsXbu
Ys14uEhXJdnof/7KhgBJpRNsydL9Ct3CDWg8n+67E1Cdn9niA+9AymtBm6H/jPre
v8TcI7+asnc4vsv6HuuTHXhrOWjfuMTpJegXGRWkHy7+PjcEtRNjjwZ98kKBlczR
O7DOTaOMoLuHbkTn9eqlslaQPwjcPDDHGs6efqk8NHPdRzOY1qh1JCaRN6wJjvY=
=bTaV
-----END PGP SIGNATURE-----
Akinwale Fasuru
Oct 9, 2012, 4:40:25 PM10/9/12
to
I appreciate your effort guys, y'all are helping a brother here so lets take it cool. I am very new to linux thats why.
I will try your opinion Jeremy and let you know wat zup
Wale
I will try your opinion Jeremy and let you know wat zup
Wale
> >> When you try and use examples you have to expect
> and realize that the
> >> example might be out of date and maybe try and
> figure out what it
> >> might take to make it work.
> >>
> >>
> >>
> and realize that the
> >> example might be out of date and maybe try and
> figure out what it
> >> might take to make it work.
> >>
> >>
> >>
Joel Esler
Oct 9, 2012, 5:11:31 PM10/9/12
to
On Oct 9, 2012, at 4:28 PM, Peter Bates <peter...@ucl.ac.uk> wrote:
I can see both sides of the argument here - I do side with encouraging
people to solve their own problems but in the case of
http://snort.org/snort-rules/cli
there's no real reason for it reflecting out of date information
or for not offering a better example of how to construct 'filename'
Corrected.
Jeremy Hoel
Oct 9, 2012, 5:14:31 PM10/9/12
to
Your command is fine. as long as it's on one long line. whats the
output once you enter
'wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code> -O snortrules-2931.tar.gz'
what does it show?
if it shows:
wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code> -O snortrules-2931.tar.gz
--2012-10-09 21:08:57--
http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code>
then that's the problem. It's forbidden due to a timeout on the oink
code.. it can only be used once in 15 minutes. You might try getting
a new one and not sharing it on the list since someone else could be
using it.. or you could have another process trying to use it on your
same box.
it should show something like..
wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<my
code removed> -O snortrules-2931.tar.gz
--2012-10-09 21:11:00--
http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<my
code removed>
Location: http://s3.amazonaws.com/snort-org/www/rules/20120906/snortrules-snapshot-2931.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1349817361&Signature=85H8TzuDRSBsHob9%2BLbqYFdPgAk%3D
[following]
--2012-10-09 21:11:01--
http://s3.amazonaws.com/snort-org/www/rules/20120906/snortrules-snapshot-2931.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1349817361&Signature=85H8TzuDRSBsHob9%2BLbqYFdPgAk%3D
Resolving s3.amazonaws.com... 72.21.203.148
Connecting to s3.amazonaws.com|72.21.203.148|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22471221 (21M) [binary/octet-stream]
Saving to: “snortrules-2931.tar.gz”
19% [==========================>
] 4,369,969 187K/s eta 1m 50s
And finish up at 21 Megs.. then the tar command should work.
2012-10-09 21:13:53 (144 KB/s) - “snortrules-2931.tar.gz” saved
[22471221/22471221]
then you run the tar command.
On Tue, Oct 9, 2012 at 9:05 PM, Akinwale Fasuru <fashm...@yahoo.com> wrote:
> Hey Jeremy,
> Here is the command i used;
>
> wget
> http://www.snort.org/sub-rules/snortrules-snapshot-
> 2931.tar.gz/3b6de1b425e1a20c6f85e705f3631bc958ad11db -O snortrules-2931.tar.gz
>
> Then i issued this command:
>
> tar xzvf snortrules-2931.tar.gz
>
> Then it came up with this again:
>
> gzip: stdin: not in gzip format
>
> Pls what do u tink?
output once you enter
'wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code> -O snortrules-2931.tar.gz'
what does it show?
if it shows:
wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code> -O snortrules-2931.tar.gz
--2012-10-09 21:08:57--
http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<your
oink code>
Resolving www.snort.org... 23.23.170.170
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2012-10-09 21:08:58 ERROR 403: Forbidden.
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
then that's the problem. It's forbidden due to a timeout on the oink
code.. it can only be used once in 15 minutes. You might try getting
a new one and not sharing it on the list since someone else could be
using it.. or you could have another process trying to use it on your
same box.
it should show something like..
wget http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<my
code removed> -O snortrules-2931.tar.gz
--2012-10-09 21:11:00--
http://www.snort.org/sub-rules/snortrules-snapshot-2931.tar.gz/<my
code removed>
Resolving www.snort.org... 23.23.170.170
Connecting to www.snort.org|23.23.170.170|:80... connected.
HTTP request sent, awaiting response... 302 Found
Connecting to www.snort.org|23.23.170.170|:80... connected.
Location: http://s3.amazonaws.com/snort-org/www/rules/20120906/snortrules-snapshot-2931.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1349817361&Signature=85H8TzuDRSBsHob9%2BLbqYFdPgAk%3D
[following]
--2012-10-09 21:11:01--
http://s3.amazonaws.com/snort-org/www/rules/20120906/snortrules-snapshot-2931.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1349817361&Signature=85H8TzuDRSBsHob9%2BLbqYFdPgAk%3D
Resolving s3.amazonaws.com... 72.21.203.148
Connecting to s3.amazonaws.com|72.21.203.148|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22471221 (21M) [binary/octet-stream]
Saving to: “snortrules-2931.tar.gz”
19% [==========================>
] 4,369,969 187K/s eta 1m 50s
And finish up at 21 Megs.. then the tar command should work.
2012-10-09 21:13:53 (144 KB/s) - “snortrules-2931.tar.gz” saved
[22471221/22471221]
then you run the tar command.
On Tue, Oct 9, 2012 at 9:05 PM, Akinwale Fasuru <fashm...@yahoo.com> wrote:
> Hey Jeremy,
> Here is the command i used;
>
> wget
> http://www.snort.org/sub-rules/snortrules-snapshot-
> 2931.tar.gz/3b6de1b425e1a20c6f85e705f3631bc958ad11db -O snortrules-2931.tar.gz
>
> Then i issued this command:
>
> tar xzvf snortrules-2931.tar.gz
>
> Then it came up with this again:
>
> gzip: stdin: not in gzip format
> tar: Child returned status 1
> tar: Error is not recoverable: exiting now
>
> And my internet connection is fine.
> tar: Error is not recoverable: exiting now
>
>
> Pls what do u tink?
AllowOverride
Oct 9, 2012, 8:41:52 PM10/9/12
to
i am referring to this page:
https://www.snort.org/account/oinkcode
its NOT right there for you, it says 2900.
i see what your are talking about, but others surely wont...
the process is, you read the config, you substitute what is displayed on
that link. it wont work, UNLESS you know the file name, by clicking
a diff page on snort.org. sorry, but i didn't see that page until much
later, the one you referred too. so when someone updates the page, i
figure, incase someone takes the same path i do, and copies the link as
is, with their oinkcode attached, which logically you would do at first
glance, as you are using it for pulledpork.conf. this discussion is the
result.
i figure if they update the page you found first time, with 2931, so
that we can cut paste it, to use with pp.pl, then there will be no
problems. thats all, nothing more,
https://www.snort.org/account/oinkcode
its NOT right there for you, it says 2900.
i see what your are talking about, but others surely wont...
the process is, you read the config, you substitute what is displayed on
that link. it wont work, UNLESS you know the file name, by clicking
a diff page on snort.org. sorry, but i didn't see that page until much
later, the one you referred too. so when someone updates the page, i
figure, incase someone takes the same path i do, and copies the link as
is, with their oinkcode attached, which logically you would do at first
glance, as you are using it for pulledpork.conf. this discussion is the
result.
i figure if they update the page you found first time, with 2931, so
that we can cut paste it, to use with pp.pl, then there will be no
problems. thats all, nothing more,
Joel Esler
Oct 9, 2012, 8:56:11 PM10/9/12
to
I'll get this fixed.
Sent from my iPhone
Sent from my iPhone
AllowOverride
Oct 9, 2012, 9:01:06 PM10/9/12
to
good points. dually noted. thanks pete
On Tue, 2012-10-09 at 21:28 +0100, Peter Bates wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> On 09/10/2012 21:02, Jeremy Hoel wrote:
On Tue, 2012-10-09 at 21:28 +0100, Peter Bates wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> On 09/10/2012 21:02, Jeremy Hoel wrote:
> > When you try and use examples you have to expect and realize that
> > the example might be out of date and maybe try and figure out what
> > it might take to make it work.
>
> > the example might be out of date and maybe try and figure out what
> > it might take to make it work.
>
> I can see both sides of the argument here - I do side with encouraging
> people to solve their own problems but in the case of
>
> http://snort.org/snort-rules/cli
>
> there's no real reason for it reflecting out of date information
> or for not offering a better example of how to construct 'filename'
>
> people to solve their own problems but in the case of
>
> http://snort.org/snort-rules/cli
>
> there's no real reason for it reflecting out of date information
> or for not offering a better example of how to construct 'filename'
>
> A wider issue is that if the Snort source tarball contained some
> example rules (or a sample local.rules and then commented out all the
> others included by default) it might be easier for the beginner.
>
> But then of course, there's Pulledpork and SecurityOnion,
> and if IT was easy then I'd be out of a job.
>
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJQdIjSAAoJELhVoVpEMS6R2qgH/jB1ST78+DE5WPc7pfl8eyTp
> DXPCNImg+b6E8znDcVsuriYM/bPd38rlnALykuXwhkcnepDdSV2MN2GGQDrkS9sB
> /+DEhQBUCnNdL3Sr5fBh9wgstyMH3eck1x9HuZZt1/xkaKHyLsxhTs/lM25CsXbu
> Ys14uEhXJdnof/7KhgBJpRNsydL9Ct3CDWg8n+67E1Cdn9niA+9AymtBm6H/jPre
> v8TcI7+asnc4vsv6HuuTHXhrOWjfuMTpJegXGRWkHy7+PjcEtRNjjwZ98kKBlczR
> O7DOTaOMoLuHbkTn9eqlslaQPwjcPDDHGs6efqk8NHPdRzOY1qh1JCaRN6wJjvY=
> =bTaV
> -----END PGP SIGNATURE-----
>
>
> example rules (or a sample local.rules and then commented out all the
> others included by default) it might be easier for the beginner.
>
> But then of course, there's Pulledpork and SecurityOnion,
> and if IT was easy then I'd be out of a job.
>
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJQdIjSAAoJELhVoVpEMS6R2qgH/jB1ST78+DE5WPc7pfl8eyTp
> DXPCNImg+b6E8znDcVsuriYM/bPd38rlnALykuXwhkcnepDdSV2MN2GGQDrkS9sB
> /+DEhQBUCnNdL3Sr5fBh9wgstyMH3eck1x9HuZZt1/xkaKHyLsxhTs/lM25CsXbu
> Ys14uEhXJdnof/7KhgBJpRNsydL9Ct3CDWg8n+67E1Cdn9niA+9AymtBm6H/jPre
> v8TcI7+asnc4vsv6HuuTHXhrOWjfuMTpJegXGRWkHy7+PjcEtRNjjwZ98kKBlczR
> O7DOTaOMoLuHbkTn9eqlslaQPwjcPDDHGs6efqk8NHPdRzOY1qh1JCaRN6wJjvY=
> =bTaV
> -----END PGP SIGNATURE-----
>
>
AllowOverride
Oct 9, 2012, 9:06:16 PM10/9/12
to
joel, i am referring to this verbiage:
Downloading with your Oinkcode
Important Note
In June 2010 we stopped offering rules in the
"snortrules-snapshot-CURRENT" format. Instead, rules are released for
specific versions of Snort. You will be responsible for downloading the
correct rules release for your version of Snort. The new versioning
mechanism will require a four digit version in the file name.
Subscriber Release
e.g. http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden
Registered User Release
http://www.snort.org/reg-rules/<filename>/<oinkcode here>
e.g. http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/hidden
On Tue, 2012-10-09 at 17:11 -0400, Joel Esler wrote:
> On Oct 9, 2012, at 4:28 PM, Peter Bates <peter...@ucl.ac.uk> wrote:
>
Downloading with your Oinkcode
Important Note
In June 2010 we stopped offering rules in the
"snortrules-snapshot-CURRENT" format. Instead, rules are released for
specific versions of Snort. You will be responsible for downloading the
correct rules release for your version of Snort. The new versioning
mechanism will require a four digit version in the file name.
Subscriber Release
e.g. http://www.snort.org/sub-rules/snortrules-snapshot-2900.tar.gz/hidden
Registered User Release
http://www.snort.org/reg-rules/<filename>/<oinkcode here>
e.g. http://www.snort.org/reg-rules/snortrules-snapshot-2900.tar.gz/hidden
On Tue, 2012-10-09 at 17:11 -0400, Joel Esler wrote:
> On Oct 9, 2012, at 4:28 PM, Peter Bates <peter...@ucl.ac.uk> wrote:
>
> > I can see both sides of the argument here - I do side with
> > encouraging
> > people to solve their own problems but in the case of
> >
> > http://snort.org/snort-rules/cli
> >
> > there's no real reason for it reflecting out of date information
> > or for not offering a better example of how to construct 'filename'
>
> Corrected.
> > encouraging
> > people to solve their own problems but in the case of
> >
> > http://snort.org/snort-rules/cli
> >
> > there's no real reason for it reflecting out of date information
> > or for not offering a better example of how to construct 'filename'
>
AllowOverride
Oct 9, 2012, 9:17:46 PM10/9/12
to
thanks joel, i know i could have looked around more, but i figure
consistency across the site should be mentioned. thanks
consistency across the site should be mentioned. thanks
> >>>> When you try and use examples you have to expect and realize that the
> >>>> example might be out of date and maybe try and figure out what it
> >>>> might take to make it work.
> >>>>
> >>>>
> >>>>
> >>>> example might be out of date and maybe try and figure out what it
> >>>> might take to make it work.
> >>>>
> >>>>
> >>>>
Joel Esler
Oct 9, 2012, 10:25:29 PM10/9/12
to
You are right. Right now, when we change the "current version" on Snort.org, I have to go through and manually change about 20 pages. (Slight exaggeration, but not much of one)
We're going to do something way more efficient in the future of Snort.org to make sure things like this don't happen anymore.
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
We're going to do something way more efficient in the future of Snort.org to make sure things like this don't happen anymore.
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
Joel Esler
Oct 10, 2012, 9:44:55 AM10/10/12
to
This has been fixe.
AllowOverride
Oct 10, 2012, 11:42:14 AM10/10/12
to
if it was fixed, then why did i complain more?
Joel Esler
Oct 10, 2012, 11:50:24 AM10/10/12
to
I don't know. Do you see somewhere where it says 2900?
AllowOverride
Oct 10, 2012, 11:55:01 AM10/10/12
to
yes joel i do. that is what have been saying... i pasted the link, but
im not going to be a dick and make you look like a fool for not reading
my emails, like some assholes are doing on here....
here is the link again. I sign in, click the oinkcode link, it's right
there. im just trying to save someone else a hassle or have to ask the
list again, for which they will be called a moron for even asking,,,
see my point.... that's the other point.
thanks
https://www.snort.org/
then:
https://www.snort.org/account/oinkcode
im not going to be a dick and make you look like a fool for not reading
my emails, like some assholes are doing on here....
here is the link again. I sign in, click the oinkcode link, it's right
there. im just trying to save someone else a hassle or have to ask the
list again, for which they will be called a moron for even asking,,,
see my point.... that's the other point.
thanks
https://www.snort.org/
then:
https://www.snort.org/account/oinkcode
Joel Esler
Oct 10, 2012, 11:58:12 AM10/10/12
to
On Oct 10, 2012, at 11:55 AM, AllowOverride <allowo...@gmail.com> wrote:
> yes joel i do. that is what have been saying... i pasted the link, but
> im not going to be a dick and make you look like a fool for not reading
> my emails, like some assholes are doing on here….
> yes joel i do. that is what have been saying... i pasted the link, but
> im not going to be a dick and make you look like a fool for not reading
Everyone has a right to their opinion. Even if it's wrong.
> here is the link again. I sign in, click the oinkcode link, it's right
> there. im just trying to save someone else a hassle or have to ask the
> list again, for which they will be called a moron for even asking,,,
> see my point.... that's the other point.
>
> thanks
>
> https://www.snort.org/
>
> then:
>
> https://www.snort.org/account/oinkcode
>
Gregory W. MacPherson
Oct 9, 2012, 12:50:32 PM10/9/12
to
This suggests that your compressed rules file is corrupt. I recommend
you verify the md5 checksum. You probably need to repeat the file
transfer to get the intact rules file.
-- Greg
On or about 2012.10.09 09:29:52 +0000, Akinwale Fasuru (fashm...@yahoo.com) said:
> Hello everyone,
> I am still having problems extracting snortrules-2931.tar.gz
>
> tar -xzvf snortrules-2931.tar.gz
> > I get this erro message
> >
> > zip: stdin: not in gzip format
> >
> > tar: Child returned status 1
> >
> > tar: Error is not recoverable: exiting now
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
--
Gregory W. MacPherson, CISSP, Security+, ITIL, Etc.
Founder, IT Security Expert, Global Network Security Exploitation Specialist
http://www.constellationsecurity.com/greg/
you verify the md5 checksum. You probably need to repeat the file
transfer to get the intact rules file.
-- Greg
On or about 2012.10.09 09:29:52 +0000, Akinwale Fasuru (fashm...@yahoo.com) said:
> Hello everyone,
> I am still having problems extracting snortrules-2931.tar.gz
>
> tar -xzvf snortrules-2931.tar.gz
> > I get this erro message
> >
> > zip: stdin: not in gzip format
> >
> > tar: Child returned status 1
> >
> > tar: Error is not recoverable: exiting now
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
--
Founder, IT Security Expert, Global Network Security Exploitation Specialist
http://www.constellationsecurity.com/greg/
AllowOverride
Oct 10, 2012, 12:12:38 PM10/10/12
to
no you joel,,, you are cool with me. however, i cant say that about a
few users on here. id rather they blast me privately than the whole
group. anyfoo... thanks for your help as always. :)
few users on here. id rather they blast me privately than the whole
group. anyfoo... thanks for your help as always. :)
waldo kitty
Oct 10, 2012, 3:28:09 PM10/10/12
to
On 10/9/2012 15:19, Jeremy Hoel wrote:
> The link he was using worked fine for me. I tested the get and got the
> rules with no no problem.. with the link he had. His problem is not
> related to a bad link.
>
> The examples show that you need a file name
> (http://snort.org/snort-rules/cli) and when you go to the page before,
> the main download page (http://snort.org/snort-rules/?), it shows the
> file names. They are not trying to make this overly confusing and
> hard.. but it does require some effort and understanding on the
> installers part. Or, you could sign in and grab them from the gui, or
> use pullpork. 3 different methods to get the rules..
or even oinkmaster with the properly styled older format which still works quite
> The link he was using worked fine for me. I tested the get and got the
> rules with no no problem.. with the link he had. His problem is not
> related to a bad link.
>
> The examples show that you need a file name
> (http://snort.org/snort-rules/cli) and when you go to the page before,
> the main download page (http://snort.org/snort-rules/?), it shows the
> file names. They are not trying to make this overly confusing and
> hard.. but it does require some effort and understanding on the
> installers part. Or, you could sign in and grab them from the gui, or
> use pullpork. 3 different methods to get the rules..
well... oinkmaster, too, works quite if you only want a download and rules
updating tool without all the extras that pulledpork offers ;)
> The examples are generic enough that they don't have to change
> whenever the rule file changes. Lets let the developers work on
> keeping the software fixed and nor worry about the web page not having
> the most specific instructions.
waldo kitty
Oct 10, 2012, 3:57:21 PM10/10/12
to
On 10/9/2012 16:02, Jeremy Hoel wrote:
> The page shows:
>
> wget http://www.snort.org/sub-rules/<filename>/<oinkcode here> \
> -O<output-filename>
>
>
> It's pretty clear. put the proper, correct, current filename where is
> says filename and things work. They shouldn't have to hold hands and
> walk through the whole thing.
>
> When you try and use examples you have to expect and realize that the
> example might be out of date and maybe try and figure out what it
> might take to make it work.
not to mention that the file name is /NOT/ the same for all the currently
> The page shows:
>
> wget http://www.snort.org/sub-rules/<filename>/<oinkcode here> \
> -O<output-filename>
>
>
> It's pretty clear. put the proper, correct, current filename where is
> says filename and things work. They shouldn't have to hold hands and
> walk through the whole thing.
>
> When you try and use examples you have to expect and realize that the
> example might be out of date and maybe try and figure out what it
> might take to make it work.
supported versions of snort (!!) ;)
waldo kitty
Oct 10, 2012, 4:09:43 PM10/10/12
to
On 10/9/2012 20:41, AllowOverride wrote:
[...]
versions of snort that are supported with currently updated rules files...
[...]
> i figure if they update the page you found first time, with 2931, so
> that we can cut paste it, to use with pp.pl, then there will be no
> problems. thats all, nothing more,
the problem is that not everyone is running 2.9.3.1... there are at least four
> that we can cut paste it, to use with pp.pl, then there will be no
> problems. thats all, nothing more,
versions of snort that are supported with currently updated rules files...
waldo kitty
Oct 10, 2012, 4:36:15 PM10/10/12
to
On 10/10/2012 11:55, AllowOverride wrote:
> here is the link again. I sign in, click the oinkcode link, it's right
> there.
ok... i've just done this and your instructions are not making any sense...
> here is the link again. I sign in, click the oinkcode link, it's right
> there.
> https://www.snort.org/
right... i'm here...
then i sign in and i'm redirected back to the above https://www.snort.org/
link... where's the "oinkcode link" on that page?
[time passes]
ahhh!! you're talking about the "Get an Oinkcode" link /at the bottom of the
page/ (!!) in the black box...
> https://www.snort.org/account/oinkcode
yup... that page is showing 2931 in all the examples i see there now...
FWIW: you may be unknowingly using a web proxy if your ISP or their feed have
one silently in place to help with their traffic management... they're known as
a transparent proxy... it is possible that that proxy isn't updating and so you
may be seeing an old cached page...
Michael Steele
Oct 10, 2012, 5:03:08 PM10/10/12
to
You need to be logged into the site...
Kindest regards,
Michael...
WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
* Visit Us @ http://www.winsnort.com *
* ~~ FREE WinIDS Snort installation guides ~~ *
* ~~ FREE support forums ~~ *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************
-----Original Message-----
From: waldo kitty [mailto:wkit...@windstream.net]
Sent: Wednesday, October 10, 2012 4:36 PM
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] Extracting snortrules-2931.tar.gz
Kindest regards,
Michael...
WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
* Visit Us @ http://www.winsnort.com *
* ~~ FREE WinIDS Snort installation guides ~~ *
* ~~ FREE support forums ~~ *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************
-----Original Message-----
From: waldo kitty [mailto:wkit...@windstream.net]
Sent: Wednesday, October 10, 2012 4:36 PM
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] Extracting snortrules-2931.tar.gz
AllowOverride
Oct 10, 2012, 5:59:33 PM10/10/12
to
cached? not for 2 weeks, that should have updated in a day i would
phathom. isp is charter. this isnt netzero! lol
On Wed, 2012-10-10 at 16:36 -0400, waldo kitty wrote:
> On 10/10/2012 11:55, AllowOverride wrote:
> > here is the link again. I sign in, click the oinkcode link, it's right
> > there.
>
> ok... i've just done this and your instructions are not making any sense...
>
> > https://www.snort.org/
>
> right... i'm here...
>
> then i sign in and i'm redirected back to the above https://www.snort.org/
> link... where's the "oinkcode link" on that page?
>
> [time passes]
>
> ahhh!! you're talking about the "Get an Oinkcode" link /at the bottom of the
> page/ (!!) in the black box...
>
> > https://www.snort.org/account/oinkcode
>
> yup... that page is showing 2931 in all the examples i see there now...
>
> FWIW: you may be unknowingly using a web proxy if your ISP or their feed have
> one silently in place to help with their traffic management... they're known as
> a transparent proxy... it is possible that that proxy isn't updating and so you
> may be seeing an old cached page...
>
phathom. isp is charter. this isnt netzero! lol
On Wed, 2012-10-10 at 16:36 -0400, waldo kitty wrote:
> On 10/10/2012 11:55, AllowOverride wrote:
> > here is the link again. I sign in, click the oinkcode link, it's right
> > there.
>
> ok... i've just done this and your instructions are not making any sense...
>
> > https://www.snort.org/
>
> right... i'm here...
>
> then i sign in and i'm redirected back to the above https://www.snort.org/
> link... where's the "oinkcode link" on that page?
>
> [time passes]
>
> ahhh!! you're talking about the "Get an Oinkcode" link /at the bottom of the
> page/ (!!) in the black box...
>
> > https://www.snort.org/account/oinkcode
>
> yup... that page is showing 2931 in all the examples i see there now...
>
> FWIW: you may be unknowingly using a web proxy if your ISP or their feed have
> one silently in place to help with their traffic management... they're known as
> a transparent proxy... it is possible that that proxy isn't updating and so you
> may be seeing an old cached page...
>
0 new messages