search

shirkdog / pulledpork

Pulled Pork for Snort and Suricata rule management (from Google code)
GNU General Public License v2.0
417 stars 134 forks source link

Snort 2.9.11 issue with latest pp #282

Closed DigiAngel closed 6 years ago

DigiAngel commented 6 years ago

I always seem to have issues when I upgrade snort, this is no different. PP can't see the new snortrules-snapshot-29110.tar.gz correctly:

 /opt/bin/pulledpork.pl -v -l -c /opt/etc/snort/pulledpork/pulledpork.conf

    https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.3 - Making signature updates great again!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2016 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\

Config File Variable Debug /opt/etc/snort/pulledpork/pulledpork.conf
        config_path = /opt/etc/snort/snort.conf
        sid_msg = /opt/etc/snort/sid-msg.map
        rule_url = ARRAY(0x19a2690)
        sid_msg_version = 1
        rule_path = /opt/etc/snort/rules/snort.rules
        local_rules = /opt/etc/snort/rules/local.rules,/opt/etc/snort/rules/suspect_networks.rules
        version = 0.7.3
        temp_path = /tmp
        disablesid = /opt/etc/snort/pulledpork/disablesid.conf
        IPRVersion = /opt/etc/snort/rules/iplists
        ignore = deleted.rules,experimental.rules,emerging-tor.rules
        snort_path = /opt/bin/snort
        black_list = /opt/etc/snort/rules/iplists/default.blacklist
        sorule_path = /opt/lib/snort_dynamicrules/
        distro = Ubuntu-12-04
        out_path = /opt/etc/snort/rules
        sid_changelog = /var/log/sid_changes.log
MISC (CLI and Autovar) Variable Debug:
        arch Def is: x86-64
        Operating System is: linux
        CA Certificate File is: OS Default
        Config Path is: /opt/etc/snort/pulledpork/pulledpork.conf
        Distro Def is: Ubuntu-12-04
        Disabled policy specified
        local.rules path is: /opt/etc/snort/rules/local.rules,/opt/etc/snort/rules/suspect_networks.rules
        Rules file is: /opt/etc/snort/rules/snort.rules
        Path to disablesid file: /opt/etc/snort/pulledpork/disablesid.conf
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /opt/etc/snort/sid-msg.map
        Snort Version is: 2.9.1.0
        Snort Config File: /opt/etc/snort/snort.conf
        Snort Path is: /opt/bin/snort
        SO Output Path is: /opt/lib/snort_dynamicrules/
        Will process SO rules
        Logging Flag is Set
        Verbose Flag is Set
        File(s) to ignore = deleted.rules,experimental.rules,emerging-tor.rules
        Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<key> http://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl http://www.talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
Checking latest MD5 for snortrules-snapshot-2910.tar.gz....
        Fetching md5sum for: snortrules-snapshot-2910.tar.gz.md5
** GET https://www.snort.org/rules/snortrules-snapshot-2910.tar.gz.md5?oinkcode=<key> ==> 422 Unprocessable Entity (1s)
        Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2910.tar.gz.md5 at /opt/bin/pulledpork.pl line 546.
No such file or directory at /opt/bin/pulledpork.pl line 550.
readline() on closed filehandle FILE at /opt/bin/pulledpork.pl line 552.
Use of uninitialized value $md5 in scalar chomp at /opt/bin/pulledpork.pl line 553.
Use of uninitialized value $md5 in pattern match (m//) at /opt/bin/pulledpork.pl line 555.
        most recent rules file digest: w.snort.org
Rules tarball download of snortrules-snapshot-2910.tar.gz....
        Fetching rules file: snortrules-snapshot-2910.tar.gz
** GET https://www.snort.org/rules/snortrules-snapshot-2910.tar.gz?oinkcode=<key> ==> 422 Unprocessable Entity
        Error 422 when fetching snortrules-snapshot-2910.tar.gz at /opt/bin/pulledpork.pl line 486.
        main::rulefetch('<key>', 'snortrules-snapshot-2910.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /opt/bin/pulledpork.pl line 2031

From pp.conf:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<key>
rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl
rule_url=http://www.talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open

ignore=deleted.rules,experimental.rules,emerging-tor.rules
temp_path=/tmp
out_path=/opt/etc/snort/rules
rule_path=/opt/etc/snort/rules/snort.rules
local_rules=/opt/etc/snort/rules/local.rules,/opt/etc/snort/rules/suspect_networks.rules
sid_msg=/opt/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/opt/lib/snort_dynamicrules/
snort_path=/opt/bin/snort
config_path=/opt/etc/snort/snort.conf
disablesid=/opt/etc/snort/pulledpork/disablesid.conf
black_list=/opt/etc/snort/rules/iplists/default.blacklist
IPRVersion=/opt/etc/snort/rules/iplists
distro=Ubuntu-12-04

version=0.7.3

snort version:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.11 GRE (Build 125)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

Thank you.

shirkdog commented 6 years ago

This is fixed in the master branch, and I will put out a patch for anyone running 0.7.2. I will have to push out 0.7.3 to fix the issue for all downstream packaging.

If someone could test a build of 2.9.9.0 to make sure it does not break current signature updates, please post it here and I will close out the issue.

DigiAngel commented 6 years ago

Confirmed screenshot from 2017-10-13 05-54-30

DigiAngel commented 6 years ago

And thank you.