search

shirkdog / pulledpork

Pulled Pork for Snort and Suricata rule management (from Google code)
GNU General Public License v2.0
417 stars 134 forks source link

PulledPork not pulling community rule set #323

Closed sfscott closed 5 years ago

sfscott commented 5 years ago

I have gotten pulled pork working but am experiencing the following error when I try to download both the rules update tar ball and the Community update tar balls.

The script grabs the Community oink code for both downloads and fails. Or if I use my oink code for both lines in the config, it downloads the rules update package twice and never downloads community. I've also tried removing the community oink code but it errs out and says I need an oink code.

Below are my configs for both scenarios:

Scenario 1 - Community oink code set to 'Community'

Config: rule_url=http://www.snort.org/downloads/registered/|snortrules-snapshot-29120.tar.gz|cexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb

NEW Community ruleset:

rule_url=http://www.snort.org/downloads/community/|community-rules.tar.gz|Community

Result: Checking latest MD5 for snortrules-snapshot-29120.tar.gz.... They Match Done! Checking latest MD5 for snortrules-snapshot-29120.tar.gz.... Error downloading https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz.md5?oinkcode=Community: 422 Unprocessable Entity [ 422 ]

Scenario 2 - Oink code used for both rules update and community Config rule_url=http://www.snort.org/downloads/registered/|snortrules-snapshot-29120.tar.gz|cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb

NEW Community ruleset:

rule_url=http://www.snort.org/downloads/community/|community-rules.tar.gz|cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb

Result Checking latest MD5 for snortrules-snapshot-29120.tar.gz.... They Match Done! Checking latest MD5 for snortrules-snapshot-29120.tar.gz.... They Match Done! IP Blacklist download of https://talosintelligence.com/documents/ip-blacklist.... Reading IP List...

Thanks for the assist!

finchy commented 5 years ago

Really should think about making the oinkcode its own variable line instead of inline. As confusing as this may be for the end user, the logs on snort.org tell me it's very confusing for most people.

sfscott commented 5 years ago

I would agree. Any idea what's going on with my downloads?

sfscott commented 5 years ago

UPDATE: This was a misleading error. When I rebooted and cleared /tmp the error disappeared.

sfscott commented 5 years ago

This resolved itself after a fresh reboot and /tmp was cleared. The error itself was misleading.