Error 422 while running rule-update with a Suricata engine
Jon Mark Allen
I'm getting an HTTP 422 error running rule-update, using an oinkcode and the Suricata engine.
Attached is the output from sostat-redacted, but the text error on rule-update is here for easy reference:
ubahmapk@so-server:~$ sudo rule-update
Thu Mar 16 23:10:59 UTC 2017
Backing up current local_rules.xml file.
Cleaning up local_rules.xml backup files older than 30 days.
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Backing up current local.rules file before it gets overwritten.
Cleaning up local.rules backup files older than 30 days.
ENGINE=suricata, so we'll execute PulledPork with -T -S suricata-3.2.1.
Running PulledPork.
Error 422 when fetching https://www.snort.org/rules/snortrules-snapshot-suricata-321.tar.gz.md5 at /usr/bin/pulledpork.pl line 534.
main::md5file('************************', 'snortrules-snapshot-suricata-321.tar.gz', '/tmp/', 'https://www.snort.org/rules/') called at /usr/bin/pulledpork.pl line 2006
Pulledpork.conf has
rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<oinkcode>
It looks like Pulledpork is inserting the engine version in the URL which is causing the failure. What's more, the md5 between the parenthesis above is my oinkcode (which I've redacted). That seems...odd??
Is there an option in Pulledpork I'm missing?
Thanks for any help you can provide.
JM
Wes
John Mark,
Try re-generating your oinkcode and trying rule-update again.
Thanks,
Wes
Jon Mark Allen
>
> John Mark,
>
> Try re-generating your oinkcode and trying rule-update again.
>
> Thanks,
> Wes
Wes,
I re-generated the oinkcode and still get the following error when running rule-update
ENGINE=suricata, so we'll execute PulledPork with -T -S suricata-3.2.1.
Running PulledPork.
Error 422 when fetching https://www.snort.org/rules/snortrules-snapshot-suricata-321.tar.gz.md5 at /usr/bin/pulledpork.pl line 534.
main::md5file('1182c57484ffddab000f336a1ba532733c853bcf', 'snortrules-snapshot-suricata-321.tar.gz', '/tmp/', 'https://www.snort.org/rules/') called at /usr/bin/pulledpork.pl line 2006
Thanks.
JM
Doug Burks
If you haven't already, please ensure that you're running the latest
updates by running "sudo soup".
Then try updating your /etc/nsm/pulledpork/pulledpork.conf, changing
the Snort rule_url from:
https://www.snort.org/rules
to:
https://www.snort.org/reg-rules
Then try running "sudo rule-update" again.
Here's the relevant code snippet from /usr/sbin/rule-update:
# Suricata options
if [ "$ENGINE" = "suricata" ]; then
# Always use -T option for Suricata:
# -T Process text based rules files only, i.e. DO
NOT process so_rules
PULLEDPORK_OPTIONS_SURI="-T"
# If running an ET ruleset and NO snort.org ruleset,
then we can specify -S suricata-x.y.z
if grep "^rule_url=https://rules.emergingthreats"
/etc/nsm/pulledpork/pulledpork.conf >/dev/null 2>&1; then
if ! grep
"^rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz"
/etc/nsm/pulledpork/pulledpork.conf >/dev/null 2>&1; then
SURI_VER=`suricata -V | awk '{print $5}'`
PULLEDPORK_OPTIONS_SURI="$PULLEDPORK_OPTIONS_SURI -S
suricata-$SURI_VER"
fi
fi
echo "ENGINE=suricata, so we'll execute PulledPork
with $PULLEDPORK_OPTIONS_SURI."
PULLEDPORK_OPTIONS="$PULLEDPORK_OPTIONS
$PULLEDPORK_OPTIONS_SURI"
fi
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Jon Mark Allen
Thank you! :-)
I was fully up to date but changing the URI to reg-rules did
the trick.
Somehow, I missed that directory path in the documentation. Should
a note about this URI path be added to the FAQ for switching between
the Snort and Suricata engines?
Thanks so much for all your help! :-)
--
Jon Mark
/* If you haven't found something strange during the day, it hasn't
been much of a day.
-- John A. Wheeler */
On Tuesday, March 21, 2017 at 5:24:49 AM UTC-5, Doug Burks wrote:
> Hi John Mark,
>
> If you haven't already, please ensure that you're running the
> latest updates by running "sudo soup".
>
> Then try updating your /etc/nsm/pulledpork/pulledpork.conf,
> changing the Snort rule_url from:
>
> https://www.snort.org/rules
>
> to:
>
> https://www.snort.org/reg-rules
>
> Then try running "sudo rule-update" again.
>
> Here's the relevant code snippet from /usr/sbin/rule-update:
>
[trim]
Doug Burks
Our current securityonion-pulledpork package puts a template
pulledpork.conf in /etc/nsm/templates/pulledpork/pulledpork.conf which
should already be set to reg-rules:
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
So new installations should just work.
On your box, did you manually add the www.snort.org line to your
/etc/nsm/pulledpork/pulledpork.conf? Or did you use the existing
www.snort.org line and just set the oinkcode?
Another wrinkle in this case is that most users who choose the
Suricata engine choose to use the Emerging Threats ruleset since the
Snort Shared Object rules won't load in Suricata anyway.
Jon Mark Allen
I'm afraid it's been long enough ago that I don't remember how that
line came to be as it was.
I do run the ET open rules as well, but I can understand that my
case was a bit of a one-off.
Thanks again for all your help.
--
JM
/* If you haven't found something strange during the day, it hasn't
been much of a day.
-- John A. Wheeler */