search

shirkdog / pulledpork

Pulled Pork for Snort and Suricata rule management (from Google code)
GNU General Public License v2.0
417 stars 134 forks source link

Problem downloading rules #300

Closed Cyclohexane2 closed 6 years ago

Cyclohexane2 commented 6 years ago

Hi,

My first time using pulledpork. Version is 0.7.3 (with Snort 2.9.11). I am unable to download the relevant rules file because it is attempting to get https://www.snort.org/reg-rules/snortrules-snapshot-2910.tar.gz/ - which doesn't exist when I try in my browser. However adding a 1 to the snapshot version so the url is https://www.snort.org/reg-rules/snortrules-snapshot-29110.tar.gz/ - does work in my browser, so presumably would in pulledpork. How can I fix this please?

shirkdog commented 6 years ago

Can you post your "rule_url" line from your pulledpork.conf? MAKE SURE TO REMOVE YOUR OINKCODE.

The default that it should be: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>

Also, are you running the 0.7.3 release? or some older git clone? There was a bug with Snort 2.9.11.0 that required you to use the latest master branch. The current master branch is now at 0.7.4.

Cyclohexane2 commented 6 years ago

Thank you for your help.

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|

I'm new to github too, but the file I downloaded a few weeks ago is called pulledpork-master, so I guess I had the master branch? pulledpork -V only tells me it's 0.7.3 though.

I've just discovered the -S switch and adding "-S 2.9.11.0" causes it to generate a valid url, but it's still failing "500 Can't connect to www.snort.org:443 (SSL connect attempt failed with unknown errorerror:00000000:lib(0):func(0):reason(0)) A 500 error occurred, please verify that you have recently updated your root certificates!" This is on a RHEL server which is being regularly updated in general, though I don't (yet) know where or how to specifically check the root certificate situation.

Cyclohexane2 commented 6 years ago

I've just noticed it's removing it because I used angled brackets, but my oinkcode does follow at the end of those urls.

shirkdog commented 6 years ago

Yes, you need to use either "-S" or set "snort_version" in pulledpork.conf if your snort binary cannot be discovered, that is normally how the right rules file is downloaded.

You need to verify if you can connect to snort.org first with the host system (and see if there are any issues with proxies etc).

Cyclohexane2 commented 6 years ago

Thanks I've now confirmed there is a firewall issue. Hopefully get that solved in the new year and I'll be back if not. Merry Christmas!