Issue with OinkCode and Snort rule updates
Scott P
https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|myOinkCode
This is failing when connecting to snort showing the OinkCode itself as command not found....
grep rule_url /etc/nsm/pulledpork/pulledpork.conf
# You can specify one or as many rule_urls as you like, they
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|MYOINKCODE
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
#rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open-nogpl
#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
---------------------------------------------------------------------------
running sudo rule-update
sudo rule-update
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2982.tar.gz.md5 at /usr/bin/pulledpork.pl line 463.
main::md5file('MYOINKCODE', 'snortrules-snapshot-2982.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/bin/pulledpork.pl line 1885
http://code.google.com/p/pulledpork/
-----------------------------------------------------------------------------
/usr/bin$ sudo pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf -vvv
Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|MYOINKCODE
https://snort.org/downloads/community/|community-rules.tar.gz|Community https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open-nogpl
Checking latest MD5 for snortrules-snapshot-2982.tar.gz....
Fetching md5sum for: snortrules-snapshot-2982.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2982.tar.gz.md5/MYOINKCODE ==> 500 Can't connect to www.snort.org:443 (timeout) (60s)
Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2982.tar.gz.md5 at /usr/bin/pulledpork.pl line 463.
main::md5file('MYOINKCODE', 'snortrules-snapshot-2982.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/bin/pulledpork.pl line 1885
/usr/bin$ sudo rule-update
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
Running PulledPork.
Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2982.tar.gz.md5 at /usr/bin/pulledpork.pl line 463.
main::md5file('MYOINKCODE', 'snortrules-snapshot-2982.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/bin/pulledpork.pl line 1885
http://code.google.com/p/pulledpork/
Scott P
:/usr/bin$ wget https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|MYOINKCODE
--2016-07-15 16:42:59-- https://www.snort.org/reg-rules/
Resolving www.snort.org (www.snort.org)... 104.16.63.75, 104.16.64.75, 104.16.65.75, ...
Connecting to www.snort.org (www.snort.org)|104.16.63.75|:443... MYOINKCODE: command not found
snortrules-snapshot.tar.gz: command not found
failed: Connection timed out.
Connecting to www.snort.org (www.snort.org)|104.16.64.75|:443... failed: Connection timed out.
Connecting to www.snort.org (www.snort.org)|104.16.65.75|:443... failed: Connection timed out.
Connecting to www.snort.org (www.snort.org)|104.16.62.75|:443... failed: Connection timed out.
Connecting to www.snort.org (www.snort.org)|104.16.66.75|:443... failed: Connection timed out.
Connecting to www.snort.org (www.snort.org)|2400:cb00:2048:1::6810:3f4b|:443... failed: Network is unreachable.
Connecting to www.snort.org (www.snort.org)|2400:cb00:2048:1::6810:404b|:443... failed: Network is unreachable.
Connecting to www.snort.org (www.snort.org)|2400:cb00:2048:1::6810:414b|:443... failed: Network is unreachable.
Connecting to www.snort.org (www.snort.org)|2400:cb00:2048:1::6810:3e4b|:443... failed: Network is unreachable.
Connecting to www.snort.org (www.snort.org)|2400:cb00:2048:1::6810:424b|:443... failed: Network is unreachable.
Wes Lambert
Scott,
Are you behind a proxy? If so, have you seen the following?
https://github.com/Security-Onion-Solutions/security-onion/wiki/Proxy
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Scott P
Wes Lambert
Have you tried regenerating a new oinkcode and using it?
Thanks,
Wes
Scott P
Could the issue be that the system is trying to go out over eth1 (monitoring port) instead of eth0? Eth0 is the only one connected to the internet. Do you know how to make sure eth0 is used for all routing?
Looking at
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.40 0.0.0.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
# loopback network interface
auto lo
iface lo inet loopback
# Management network interface
auto eth0
iface eth0 inet static
address 192.168.2.17
gateway 192.168.2.40
netmask 255.255.255.0
dns-nameservers 192.168.2.13
dns-domain mydomain.com
auto eth1
#iface eth1 inet manual
# up ip link set $IFACE promisc on arp off up
# down ip link set $IFACE promisc off down
iface eth1 inet static
address 192.168.2.12
netmask 255.255.255.0
post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
Wes
Making the change in pulledpork.conf and running rule-update should be all that is needed.
You may want to look into the following in regard to the potential interface conflict:
http://askubuntu.com/questions/472733/set-specific-interface-for-internet-access
Thanks,
Wes
dan (ddp)
For most operations you shouldn't need one.
Also setting it to the same subnet as eth0 could be an issue as well.
Scott P
do you know what the settings for the nic should look like
Scott P
Still getting:
Running PulledPork.
Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2982.tar.gz.md5 at /usr/bin/pulledpork.pl line 463.
main::md5file('MYNEWOINKCODE', 'snortrules-snapshot-2982.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/bin/pulledpork.pl line 1885
http://code.google.com/p/pulledpork/
_____ ____
Wes
> Happy to remove static
>
> do you know what the settings for the nic should look like
Scott,
You may want to consult the following for the sniffing interface:
https://github.com/Security-Onion-Solutions/security-onion/wiki/NetworkConfiguration
I was under the assumption you were using the IP on the second interface for some other purpose--apologies.
Thanks,
Wes
Scott P
I then re-ran the setup on SO entering in the OINKCODE
I ran rules-update and it looks like it is working.
Thanks for your help!