Use snortrules-snapshot-edge.tar.gz for updates

[GoogleCodeExporter]

I'm very new to snort and pulledpork.

I have updated to Snort 2.9.2 but as I am only a registered user at this time I 
am only entitled to updates that are 30 days old. (We are awaiting sanction 
from line management to purchase a VRT Subscription.) Meaning the updates I am 
entitled to are only applicable to Snort Version 2.9.1.2.

When I use Pulled Pork to update Snort Rules is is defaulting to Pull the 
latest VRT rules and not the Registered User rules. Resulting in me getting a 
403 forbidden error when I try and download them. I have to edit the 
pulledpork.conf file and hardcode in the rule name to download the rules. I may 
be doing something wrong, I accept that. 

But back to my original reason for opening this. If pulled pork just downloaded 
the  snortrules-snapshot-edge.tar.gz it will always be the correct/latest 
version that a given user/oinkcode, Registered or Subscribed, is entitled to.

Thanks,
Ciarán

Original issue reported on code.google.com by lost....@gmail.com on 14 Jan 2012 at 4:44

[GoogleCodeExporter]

You do not understand how the rule system works, there is no longer a valid and 
updated rules file with the name that you give.  Regardless of what version of 
snort rules you attempt to download, the age of the rules within said file is 
automatically determined by the level associated with your oinkcode.  You were 
unable to download for 2.9.2 because there is NO tarball for the registered 
users yet, since it has not yet been 30 days since 2.9.2 was released.  Once it 
has been 30 days then you oinkcode will work to get 2.9.2 registered rulesets.  
When this happens, there is a variable in the pulledpork.conf that lets you 
specify the version of snort that you are running, had you specified 2.9.1.2 
then the ruleset would have downloaded and worked perfectly.

This is an invalid bug, and is being marked as such.

Original comment by Cummin...@gmail.com on 14 Jan 2012 at 10:39

• Changed state: Invalid

[GoogleCodeExporter]

I did specify "snort_version=2.9.1.2" in the pulledpork.conf but even with my 
oinkcode it still tried to download snortrules-snapshot-2920.tar.gz which 
resulted in a 403 forbidden error because I'm not entitled to it.
If I hardcoded "snortrules-snapshot-2912.tar.gz" into pulledpork.conf it worked 
just fine.

Sorry.

Original comment by lost....@gmail.com on 14 Jan 2012 at 10:48

[GoogleCodeExporter]

That is potentially a different issue that we can look into.

Original comment by Cummin...@gmail.com on 14 Jan 2012 at 10:49

[GoogleCodeExporter]

I mentioned snortrules-snapshot-edge.tar.gz because if I do
wget http://www.snort.org/reg-rules/snortrules-snapshot-edge.tar.gz/<oinkcode 
here> -O snortrules-snapshot-edge.tar.gz

It gets me the latest snapshot for my release, I thought.
It's mentioned at foot of page here:
http://www.snort.org/snort-rules/cli

It'll be Monday 10-ish GMT before I can get you my actual pulledpork.conf

Original comment by lost....@gmail.com on 14 Jan 2012 at 10:55

[GoogleCodeExporter]

I see what you are talking about, it doesn't get you the latest snapshot for 
your release, it gets you the latest that you are entitled to.. that is bad 
because many people will still be running 2.9.1.2.. so when they can get 2.9.2 
it will break their 2.9.1.2 install..

Original comment by Cummin...@gmail.com on 14 Jan 2012 at 11:15

[GoogleCodeExporter]

Damn mistype:
"It gets me the latest snapshot for my release, I thought." Should have been
It gets me the latest snapshot that I am entitled to. But you got that.

I'm using the 2.9.1.2 rules from snortrules-snapshot-2912.tar.gz with Snort 
2.9.2 and I thought it worked just fine. But you are saying if I used rules 
created for 2.9.2 with 2.9.1.2 it with would break 2.9.1.2 

That is handy to know if I'm having a crappy morning with snort someday.

Thanks.

Original comment by lost....@gmail.com on 14 Jan 2012 at 11:25