chrisdevette / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

HTTPS ET open rules download error #97

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. install PulledPork.0.6.1
2. Use EmergingThreats open ruleset
3. Run PulledPork

What is the expected output? What do you see instead?

Expected output is : 

[...]
Fly Piggy Fly!

Instead, I can see : 

Checking latest MD5 for emerging.rules.tar.gz....
        Error 501 when fetching https://rules.emergingthreats.net/open/snort-2.9.1/emerging.rules.tar.gz.md5 at /sbin/pulledpork.pl line 453
        main::md5file('open', 'emerging.rules.tar.gz', '/tmp/', 'https://rules.emergingthreats.net/open/snort-2.9.1/') called at /sbin/pulledpork.pl line 1758

What version of the product are you using? On what operating system?

PulledPork v0.6.1 the Smoking Pig, freshly installed and configured.

Please provide any additional information below.

It looks like https connection fails on certificate check : 

wget 
https://rules.emergingthreats.net/open/snort-2.9.1/emerging.rules.tar.gz.md5
--2011-10-18 07:56:36--  
https://rules.emergingthreats.net/open/snort-2.9.1/emerging.rules.tar.gz.md5
Resolving rules.emergingthreats.net... 69.195.137.28, 216.40.222.19
Connecting to rules.emergingthreats.net|69.195.137.28|:443... connected.
ERROR: certificate common name `rules.emergingthreatspro.com' doesn't match 
requested host name `rules.emergingthreats.net'.
To connect to rules.emergingthreats.net insecurely, use 
`--no-check-certificate'.

Changing rule_url to http:// solved the problem.

Original issue reported on code.google.com by pee...@gmail.com on 18 Oct 2011 at 7:32

GoogleCodeExporter commented 9 years ago
Change of secure URL to "https://rules.emergingthreatspro.com/"  does not help :

 Checking latest MD5 for emerging.rules.tar.gz....
Use of uninitialized value in numeric eq (==) at /sbin/pulledpork.pl line 444.
Use of uninitialized value in numeric eq (==) at /sbin/pulledpork.pl line 444.
Use of uninitialized value in concatenation (.) or string at 
/sbin/pulledpork.pl line 453.
        Error  when fetching https://rules.emergingthreatspro.com/emerging.rules.tar.gz.md5 at /sbin/pulledpork.pl line 453
        main::md5file('open', 'emerging.rules.tar.gz', '/tmp/', 'https://rules.emergingthreatspro.com/') called at /sbin/pulledpork.pl line 1758

Original comment by pee...@gmail.com on 18 Oct 2011 at 7:37

GoogleCodeExporter commented 9 years ago
how can get emerging rule?please help

Original comment by mohamad....@gmail.com on 12 Nov 2011 at 1:05

GoogleCodeExporter commented 9 years ago
I'll look when back from vacation... I know that others are making it work 
though.

Original comment by Cummin...@gmail.com on 17 Nov 2011 at 3:24

GoogleCodeExporter commented 9 years ago
Closing this, I am unable to reproduce....

Checking latest MD5 for emerging.rules.tar.gz....
    Fetching md5sum for: emerging.rules.tar.gz.md5
** GET 
http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5 ==> 
200 OK
    most recent rules file digest: 63687b9f2911f077948d9f08658aabbe
Rules tarball download of emerging.rules.tar.gz....
    Fetching rules file: emerging.rules.tar.gz
** GET http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz 
==> 200 OK (2s)
    storing file at: /tmp/emerging.rules.tar.gz

    current local rules file  digest: 63687b9f2911f077948d9f08658aabbe
    The MD5 for emerging.rules.tar.gz matched 63687b9f2911f077948d9f08658aabbe
    so I'm not gonna download the rules file again suckas!
Prepping rules from emerging.rules.tar.gz for work....
    extracting contents of /tmp/emerging.rules.tar.gz...

Original comment by Cummin...@gmail.com on 23 Jan 2012 at 4:30

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago

I am getting the following error using pulledpork-0.6.1:

Checking latest MD5 for snortrules-snapshot-2921.tar.gz....
        Error 501 when fetching http://www.snort.org/sub-rules/snortrules-snapshot-2921.tar.gz.md5 at /usr/local/pulledpork-0.6.1/pulledpork.pl line 453
        main::md5file('<displays oikncode here>', 'snortrules-snapshot-2921.tar.gz', '/tmp/', 'http://www.snort.org/sub-rules/') called at /usr/local/pulledpork-0.6.1/pulledpork.pl line 1758
[root@copier etc]# 

Can't seem to get past this one. My pulledpork.conf file contains this:

rule_url=http://www.snort.org/sub-rules/|snortrules-snapshot-2921.tar.gz|<with 
oinkcode here>

Please advise.

Original comment by S6H...@gmail.com on 23 Feb 2012 at 10:20

GoogleCodeExporter commented 9 years ago
You should hit the mail lists with this for the fastest response... 
http://groups.google.com/group/pulledpork-users

I would also remove my oinkcode from the output

Original comment by Cummin...@gmail.com on 23 Feb 2012 at 10:29

GoogleCodeExporter commented 9 years ago
Has this been resolved? 

I don't think you were able to reproduce it because your conf file specifies 
http instead of https (this is no longer default).

I reverted it in the mean time but was hoping the OP found a solution.

Original comment by kb1...@gmail.com on 7 Aug 2012 at 4:02

GoogleCodeExporter commented 9 years ago
Having same issue. Host rules.emergingthreats.net indeed has certificate with 
CN rules.emergingtreathspro.com. Here is output from openssl:

root@fw1:~# openssl s_client -connect rules.emergingthreats.net:443
CONNECTED(00000003)

depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/O=rules.emergingthreatspro.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=rules.emergingthreatspro.com
   i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
 1 s:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---

Original comment by putinas....@ruduo.net on 3 Oct 2012 at 12:51

GoogleCodeExporter commented 9 years ago
It works with the line:

rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|40799297387265
72

in the /etc/snort/pulledpork.conf.

root@debian:/# pulledpork.pl -c /etc/snort/pulledpork.conf -T -l

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\

Checking latest MD5 for emerging.rules.tar.gz.... They Match Done! Prepping rules from emerging.rules.tar.gz for work.... Done! Checking latest MD5 for emerging.rules.tar.gz.... They Match Done! Prepping rules from emerging.rules.tar.gz for work.... Done! Reading rules... Reading rules... Processing /etc/snort/enablesid.conf.... Modified 0 rules Done Processing /etc/snort/disablesid.conf.... Modified 0 rules Done Modifying Sids.... Done! Setting Flowbit State.... Enabled 10 flowbits Done Writing /etc/snort/rules/snort.rules.... Done Generating sid-msg.map.... Done Writing /etc/snort/sid-msg.map.... Done Writing /var/log/sid_changes.log.... Done Rule Stats.... New:-------0 Deleted:---0 Enabled Rules:----13078 Dropped Rules:----0 Disabled Rules:---2925 Total Rules:------16003 Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly!


Original comment by `ping.loc...@gmail.com` on 11 Oct 2012 at 11:00
GoogleCodeExporter commented 9 years ago
Found the cause of the problem: 

1. ET's certificate does not match it's domain name (snort does).
2. If you install LWP:UserAgent and related https module with native centos 
module(yum perl-libwww-perl) it will use an old version which does not check 
hostname.
3. If you install LWP:UserAgent and related https module from cpan, it will 
install some later version which by default will check hostname. This causes 
the problem with ET when snort.org works just fine.
4. Adding "export PERL_LWP_SSL_VERIFY_HOSTNAME=0" before executing pp solves 
the problem. 

Original comment by liyong2...@gmail.com on 25 Oct 2012 at 5:34