Re: [security-onion] Pulledpork Fails error 500
1,412 views
Skip to first unread message
Doug Burks
Jul 24, 2012, 6:11:59 AM7/24/12
to securit...@googlegroups.com
Hi Fusspils,
Does your SO box have full Internet access (no sites blocked)?
Is your SO box behind a proxy? If so, have you configured SO to use the proxy?
http://code.google.com/p/security-onion/wiki/Proxy
If you have a proxy, does it do SSL MITM?
What is the output of the following?
sudo pulledpork.pl -vv -c /etc/pulledpork/pulledpork.conf
Thanks,
Doug
On Tue, Jul 24, 2012 at 4:30 AM, Fusspils <fuss...@gmail.com> wrote:
> Hi all,
>
> When I perform 'the in place upgrade' for some reason it always seems to break the nice descriptions in the "Event Message" column in Sguil. I reinstalled SO a few times from the latest ISO and it always works fine until I try the update.
>
> I suspected pulled pork was causing me the issues so I tried to run that manually with the following command.
>
> /usr/local/bin/pulledpork_update.sh
>
> This resulted in -
>
> Error 500 when fetching emerging.rules.tar.gz at /usr/local/bin/pulledpork.pl line 352
>
> Any help to get this outstanding software setup updated?
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Does your SO box have full Internet access (no sites blocked)?
Is your SO box behind a proxy? If so, have you configured SO to use the proxy?
http://code.google.com/p/security-onion/wiki/Proxy
If you have a proxy, does it do SSL MITM?
What is the output of the following?
sudo pulledpork.pl -vv -c /etc/pulledpork/pulledpork.conf
Thanks,
Doug
On Tue, Jul 24, 2012 at 4:30 AM, Fusspils <fuss...@gmail.com> wrote:
> Hi all,
>
> When I perform 'the in place upgrade' for some reason it always seems to break the nice descriptions in the "Event Message" column in Sguil. I reinstalled SO a few times from the latest ISO and it always works fine until I try the update.
>
> I suspected pulled pork was causing me the issues so I tried to run that manually with the following command.
>
> /usr/local/bin/pulledpork_update.sh
>
> This resulted in -
>
> Error 500 when fetching emerging.rules.tar.gz at /usr/local/bin/pulledpork.pl line 352
>
> Any help to get this outstanding software setup updated?
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Jul 24, 2012, 7:03:18 AM7/24/12
to securit...@googlegroups.com
Based on the error message, your SO box is getting "Connection timed
out" when trying to access
https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz.md5.
I can access that URL just fine from here. Are you able to access
this URL from your workstation?
Thanks,
Doug
On Tue, Jul 24, 2012 at 6:44 AM, Fusspils <fuss...@gmail.com> wrote:
>
> Internet access yes - Proxy no. Here is the output that you asked for..
>
> root@onion-desktop:/home/onion# sudo pulledpork.pl -vv -c /etc/pulledpork/pulledpork.conf
> http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / PulledPork v0.5.0 The Drowning Rat
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings
> @_/ / 66\_ cumm...@gmail.com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Config File Variable Debug /etc/pulledpork/pulledpork.conf
> snort_path = /usr/local/bin/snort
> enablesid = /etc/pulledpork/enablesid.conf
> modifysid = /etc/pulledpork/modifysid.conf
> rule_path = /etc/nsm/rules/downloaded.rules
> ignore = deleted,experimental,local,emerging-botcc-BLOCK,emerging-compromised-BLOCK,emerging-drop-BLOCK,emerging-dshield-BLOCK,emerging-rbn-BLOCK,emerging-rbn-malvertisers-BLOCK,emerging-tor-BLOCK
> rule_url = ARRAY(0x9860c00)
> sid_changelog = /var/log/sid_changes.log
> sid_msg = /etc/snort/sid-msg.map
> config_path = /etc/snort/snort.conf
> sostub_path = /etc/nsm/rules/so_rules.rules
> temp_path = /tmp
> distro = Ubuntu-10-4
> version = 0.5.0
> sorule_path = /usr/local/lib/snort_dynamicrules/
> disablesid = /etc/pulledpork/disablesid.conf
> dropsid = /etc/pulledpork/dropsid.conf
> local_rules = /etc/nsm/rules/local.rules,/etc/nsm/rules/decoder-events.rules,/etc/nsm/rules/stream-events.rules,/etc/nsm/rules/http-events.rules,/etc/nsm/rules/smtp-events.rules
> MISC (CLI and Autovar) Variable Debug:
> Config Path is: /etc/pulledpork/pulledpork.conf
> Base URL is: https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
> Rules file is: /etc/nsm/rules/downloaded.rules
> local.rules path is: /etc/nsm/rules/local.rules,/etc/nsm/rules/decoder-events.rules,/etc/nsm/rules/stream-events.rules,/etc/nsm/rules/http-events.rules,/etc/nsm/rules/smtp-events.rules
> SO Output Path is: /usr/local/lib/snort_dynamicrules/
> SO Stub File is: /etc/nsm/rules/so_rules.rules
> sid-msg.map Output Path is: /etc/snort/sid-msg.map
> sid changes will be logged to: /var/log/sid_changes.log
> Disabled policy specified
> Snort Version is: 2.9.2.0
> Snort Path is: /usr/local/bin/snort
> Snort Config File: /etc/snort/snort.conf
> Path to disablesid file: /etc/pulledpork/disablesid.conf
> Path to dropsid file: /etc/pulledpork/dropsid.conf
> Path to enablesid file: /etc/pulledpork/enablesid.conf
> Path to modifysid file: /etc/pulledpork/modifysid.conf
> Distro Def is: Ubuntu-10-4
> arch Def is: i386
> Verbose Flag is Set
> Extra Verbose Flag is Set
> Checking latest MD5 for emerging.rules.tar.gz....
> Fetching md5sum for: emerging.rules.tar.gz.md5
> ** GET https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz.md5 ==> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server key exchange A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read finished A
> 200 OK (7s)
> most recent rules file digest: 04dabeca4e2e4bbfae4d65f5434f7e5c
> Rules tarball download of emerging.rules.tar.gz....
> Fetching rules file: emerging.rules.tar.gz
> ** GET https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz ==> 500 Connect failed: connect: Connection timed out; Connection timed out (21s)
out" when trying to access
https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz.md5.
I can access that URL just fine from here. Are you able to access
this URL from your workstation?
Thanks,
Doug
On Tue, Jul 24, 2012 at 6:44 AM, Fusspils <fuss...@gmail.com> wrote:
> On Tuesday, July 24, 2012 8:30:24 AM UTC, Fusspils wrote:
>> Hi all,
>>
>> When I perform 'the in place upgrade' for some reason it always seems to break the nice descriptions in the "Event Message" column in Sguil. I reinstalled SO a few times from the latest ISO and it always works fine until I try the update.
>> Hi all,
>>
>>
>> I suspected pulled pork was causing me the issues so I tried to run that manually with the following command.
>>
>> /usr/local/bin/pulledpork_update.sh
>>
>> This resulted in -
>>
>> Error 500 when fetching emerging.rules.tar.gz at /usr/local/bin/pulledpork.pl line 352
>>
>> Any help to get this outstanding software setup updated?
>
>
>
> Thanks for the reply Doug,
>> I suspected pulled pork was causing me the issues so I tried to run that manually with the following command.
>>
>> /usr/local/bin/pulledpork_update.sh
>>
>> This resulted in -
>>
>> Error 500 when fetching emerging.rules.tar.gz at /usr/local/bin/pulledpork.pl line 352
>>
>> Any help to get this outstanding software setup updated?
>
>
>
>
> Internet access yes - Proxy no. Here is the output that you asked for..
>
> root@onion-desktop:/home/onion# sudo pulledpork.pl -vv -c /etc/pulledpork/pulledpork.conf
> http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / PulledPork v0.5.0 The Drowning Rat
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings
> @_/ / 66\_ cumm...@gmail.com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Config File Variable Debug /etc/pulledpork/pulledpork.conf
> snort_path = /usr/local/bin/snort
> enablesid = /etc/pulledpork/enablesid.conf
> modifysid = /etc/pulledpork/modifysid.conf
> rule_path = /etc/nsm/rules/downloaded.rules
> ignore = deleted,experimental,local,emerging-botcc-BLOCK,emerging-compromised-BLOCK,emerging-drop-BLOCK,emerging-dshield-BLOCK,emerging-rbn-BLOCK,emerging-rbn-malvertisers-BLOCK,emerging-tor-BLOCK
> rule_url = ARRAY(0x9860c00)
> sid_changelog = /var/log/sid_changes.log
> sid_msg = /etc/snort/sid-msg.map
> config_path = /etc/snort/snort.conf
> sostub_path = /etc/nsm/rules/so_rules.rules
> temp_path = /tmp
> distro = Ubuntu-10-4
> version = 0.5.0
> sorule_path = /usr/local/lib/snort_dynamicrules/
> disablesid = /etc/pulledpork/disablesid.conf
> dropsid = /etc/pulledpork/dropsid.conf
> local_rules = /etc/nsm/rules/local.rules,/etc/nsm/rules/decoder-events.rules,/etc/nsm/rules/stream-events.rules,/etc/nsm/rules/http-events.rules,/etc/nsm/rules/smtp-events.rules
> MISC (CLI and Autovar) Variable Debug:
> Config Path is: /etc/pulledpork/pulledpork.conf
> Base URL is: https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
> Rules file is: /etc/nsm/rules/downloaded.rules
> local.rules path is: /etc/nsm/rules/local.rules,/etc/nsm/rules/decoder-events.rules,/etc/nsm/rules/stream-events.rules,/etc/nsm/rules/http-events.rules,/etc/nsm/rules/smtp-events.rules
> SO Output Path is: /usr/local/lib/snort_dynamicrules/
> SO Stub File is: /etc/nsm/rules/so_rules.rules
> sid-msg.map Output Path is: /etc/snort/sid-msg.map
> sid changes will be logged to: /var/log/sid_changes.log
> Disabled policy specified
> Snort Version is: 2.9.2.0
> Snort Path is: /usr/local/bin/snort
> Snort Config File: /etc/snort/snort.conf
> Path to disablesid file: /etc/pulledpork/disablesid.conf
> Path to dropsid file: /etc/pulledpork/dropsid.conf
> Path to enablesid file: /etc/pulledpork/enablesid.conf
> Path to modifysid file: /etc/pulledpork/modifysid.conf
> Distro Def is: Ubuntu-10-4
> arch Def is: i386
> Verbose Flag is Set
> Extra Verbose Flag is Set
> Checking latest MD5 for emerging.rules.tar.gz....
> Fetching md5sum for: emerging.rules.tar.gz.md5
> ** GET https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz.md5 ==> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server key exchange A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read finished A
> 200 OK (7s)
> most recent rules file digest: 04dabeca4e2e4bbfae4d65f5434f7e5c
> Rules tarball download of emerging.rules.tar.gz....
> Fetching rules file: emerging.rules.tar.gz
> ** GET https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz ==> 500 Connect failed: connect: Connection timed out; Connection timed out (21s)
> Error 500 when fetching emerging.rules.tar.gz at /usr/local/bin/pulledpork.pl line 352
> main::rulefetch('open', 'emerging.rules.tar.gz', '/tmp/', 'https://rules.emergingthreatspro.com/open/snort-2.9.2/') called at /usr/local/bin/pulledpork.pl line 1488
Doug Burks
Jul 24, 2012, 7:35:07 AM7/24/12
to securit...@googlegroups.com
Both IP addresses work fine for me. Sounds like an issue in your local network.
Doug
On Tue, Jul 24, 2012 at 7:25 AM, Fusspils <fuss...@gmail.com> wrote:
> On Tuesday, July 24, 2012 8:30:24 AM UTC, Fusspils wrote:
>> Hi all,
>>
>> When I perform 'the in place upgrade' for some reason it always seems to break the nice descriptions in the "Event Message" column in Sguil. I reinstalled SO a few times from the latest ISO and it always works fine until I try the update.
>>
>> I suspected pulled pork was causing me the issues so I tried to run that manually with the following command.
>>
>> /usr/local/bin/pulledpork_update.sh
>>
>> This resulted in -
>>
>> Error 500 when fetching emerging.rules.tar.gz at /usr/local/bin/pulledpork.pl line 352
>>
>> Any help to get this outstanding software setup updated?
>
>
>
> Strange, it seems to fail on the first IP then work on the second?
>
> wget https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz.md5
> --2012-07-24 11:23:43-- https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz.md5
> Resolving rules.emergingthreatspro.com... 216.40.222.19, 69.195.137.28
> Connecting to rules.emergingthreatspro.com|216.40.222.19|:443... failed: Connection timed out.
> Connecting to rules.emergingthreatspro.com|69.195.137.28|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 33 [application/x-gzip]
> Saving to: `emerging.rules.tar.gz.md5'
>
> 100%[=========================================================================================================================================================================>] 33 --.-K/s in 0s
>
> 2012-07-24 11:24:05 (1.58 MB/s) - `emerging.rules.tar.gz.md5' saved [33/33]
Doug
On Tue, Jul 24, 2012 at 7:25 AM, Fusspils <fuss...@gmail.com> wrote:
> On Tuesday, July 24, 2012 8:30:24 AM UTC, Fusspils wrote:
>> Hi all,
>>
>> When I perform 'the in place upgrade' for some reason it always seems to break the nice descriptions in the "Event Message" column in Sguil. I reinstalled SO a few times from the latest ISO and it always works fine until I try the update.
>>
>> I suspected pulled pork was causing me the issues so I tried to run that manually with the following command.
>>
>> /usr/local/bin/pulledpork_update.sh
>>
>> This resulted in -
>>
>> Error 500 when fetching emerging.rules.tar.gz at /usr/local/bin/pulledpork.pl line 352
>>
>> Any help to get this outstanding software setup updated?
>
>
>
>
> wget https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz.md5
> --2012-07-24 11:23:43-- https://rules.emergingthreatspro.com/open/snort-2.9.2/emerging.rules.tar.gz.md5
> Resolving rules.emergingthreatspro.com... 216.40.222.19, 69.195.137.28
> Connecting to rules.emergingthreatspro.com|216.40.222.19|:443... failed: Connection timed out.
> Connecting to rules.emergingthreatspro.com|69.195.137.28|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 33 [application/x-gzip]
> Saving to: `emerging.rules.tar.gz.md5'
>
> 100%[=========================================================================================================================================================================>] 33 --.-K/s in 0s
>
> 2012-07-24 11:24:05 (1.58 MB/s) - `emerging.rules.tar.gz.md5' saved [33/33]
Doug Burks
Jul 24, 2012, 9:30:45 AM7/24/12
to securit...@googlegroups.com
Glad to hear it, thanks!
Doug
On Tue, Jul 24, 2012 at 9:26 AM, Fusspils <fuss...@gmail.com> wrote:
> On Tuesday, July 24, 2012 8:30:24 AM UTC, Fusspils wrote:
>> Hi all,
>>
>> When I perform 'the in place upgrade' for some reason it always seems to break the nice descriptions in the "Event Message" column in Sguil. I reinstalled SO a few times from the latest ISO and it always works fine until I try the update.
>>
>> I suspected pulled pork was causing me the issues so I tried to run that manually with the following command.
>>
>> /usr/local/bin/pulledpork_update.sh
>>
>> This resulted in -
>>
>> Error 500 when fetching emerging.rules.tar.gz at /usr/local/bin/pulledpork.pl line 352
>>
>> Any help to get this outstanding software setup updated?
>
>
>
>
> Thanks for your help Doug, you let me to the solution. It appears that the IP 216.40.222.19 has blacklisted my external IP for some reason, cant even ping it. I routed the traffic from the SO box to a new external IP and it all works just fine. Thanks again for the excellent product and support!
Doug
On Tue, Jul 24, 2012 at 9:26 AM, Fusspils <fuss...@gmail.com> wrote:
> On Tuesday, July 24, 2012 8:30:24 AM UTC, Fusspils wrote:
>> Hi all,
>>
>> When I perform 'the in place upgrade' for some reason it always seems to break the nice descriptions in the "Event Message" column in Sguil. I reinstalled SO a few times from the latest ISO and it always works fine until I try the update.
>>
>> I suspected pulled pork was causing me the issues so I tried to run that manually with the following command.
>>
>> /usr/local/bin/pulledpork_update.sh
>>
>> This resulted in -
>>
>> Error 500 when fetching emerging.rules.tar.gz at /usr/local/bin/pulledpork.pl line 352
>>
>> Any help to get this outstanding software setup updated?
>
>
>
>
Reply all
Reply to author
Forward
0 new messages