Snort mailing list archives

Re: RESOLVED Re: Oinkmaster can't get rules

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 16 Jul 2010 07:31:11 -0600

An interesting thing.  Just tested this morning...on slackware 10.2 (old I
know).

All three things needed to happen..why I have no idea.  Wget version is
1.10.2.

Current setup:
Crypt::SSLeay is updated to 0.57.  Verisign certs from the ca-certs package
dated December 2009 are in /etc/ssl/certs (openssl has been compiled with
default dir as /etc/ssl/).  --no-check-certificate is in oinkmaster.pl line
909.

If I remove the certs I get:
 Resolving www.snort.org... 68.177.102.20
Connecting to www.snort.org|68.177.102.20|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
06:15:08 ERROR 403: Forbidden.

If I remove the --no-check-certificate line I get:
Resolving www.snort.org... 68.177.102.20
Connecting to www.snort.org|68.177.102.20|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: 
https://s3.amazonaws.com/snort.org/rules/20100614/snortrules-snapshot-2860.t
ar.gz?AWSAccessKeyId= [following]
--06:52:53--  
https://s3.amazonaws.com/snort.org/rules/20100614/snortrules-snapshot-2860.t
ar.gz?AWSAccessKeyId=
           => `/tmp/oinkmaster.OOORjjxt1X/url.erXoRpKg3C/snortrules.tar.gz'
Resolving s3.amazonaws.com... 72.21.207.242
Connecting to s3.amazonaws.com|72.21.207.242|:443... connected.
ERROR: Certificate verification error for s3.amazonaws.com: unable to get
local issuer certificate
To connect to s3.amazonaws.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

With both the above set however, all is fine in the universe:
Loading /chroot/snort/etc/oinkmaster.conf
Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2
860.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Downloading file from
http://www.emergingthreats.net/rules/emerging.rules.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Setting up rules structures... done.
Processing downloaded rules... disabled 3, enabled 0, modified 0,
total=20447
Setting up rules structures... done.
Comparing new files to the old ones... done.
Updating local rules files... done.

So there we have it ;)

James

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Thu, 15 Jul 2010 08:51:37 -0400
To: James Lay <jlay () slave-tothe-box net>
Cc: Snort <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] RESOLVED Re: Oinkmaster can't get rules

On Thu, Jul 15, 2010 at 8:27 AM, James Lay <jlay () slave-tothe-box net> wrote:

Success!

Apparently 3 things needed to occur:

Update Crypt::SSLeay


Good practice to keep things up to date, especially where your
security software is concerned. (I'm looking at you people who aren't
running 2.8.5.3 or 2.8.6.0)

Modify oinkmaster.pl line 909 with --no-check-certificate


So now you're not checking certificate validity so...

Snag the ca-certificates package and install each cert in /etc/ssl/certs


...you wouldn't need these anymore.

While I can see Slackware's point of having the user install the certs,
eh...it was a bit of a pain to have to figure all this out ;)  Thanks for
all the help folks.


You need to make sure you have the up to date certificates installed
and don't use the "--no-check-cert" option.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Oinkmaster can't get rules, (continued)
- - - Re: Oinkmaster can't get rules JJC (Jul 14)
    - Re: Oinkmaster can't get rules Jefferson, Shawn (Jul 19)
    - oinkmaster vs pulledpork was (Oinkmaster can't get rules) Russell Fulton (Jul 19)
    - Re: oinkmaster vs pulledpork was (Oinkmaster can't get rules) JJC (Jul 19)
    - Re: oinkmaster vs pulledpork was (Oinkmaster can't get rules) Mike Lococo (Jul 19)
    - Re: oinkmaster vs pulledpork was (Oinkmaster can't get rules) Joel Esler (Jul 19)
    - Re: oinkmaster vs pulledpork was (Oinkmaster can't get rules) Mike Lococo (Jul 20)
    - RESOLVED Re: Oinkmaster can't get rules James Lay (Jul 15)
    - Re: RESOLVED Re: Oinkmaster can't get rules Joel Esler (Jul 15)
    - Re: RESOLVED Re: Oinkmaster can't get rules Nigel Houghton (Jul 15)
    - Re: RESOLVED Re: Oinkmaster can't get rules James Lay (Jul 16)
    - Re: Oinkmaster can't get rules Jun Wan (Jul 25)
    - Re: Oinkmaster can t get rules waldo kitty (Jul 25)
    - FW: Oinkmaster can't get rules Jun Wan (Jul 25)
    - Re: FW: Oinkmaster can't get rules Joel Esler (Jul 26)
    - Re: FW: Oinkmaster can't get rules Nigel Houghton (Jul 26)
    - Re: FW: Oinkmaster can't get rules Joel Esler (Jul 26)
    - Re: FW: Oinkmaster can t get rules waldo kitty (Jul 26)
    - Re: FW: Oinkmaster can t get rules waldo kitty (Jul 26)
    - Re: FW: Oinkmaster can't get rules JJC (Jul 26)
    - Re: FW: Oinkmaster can't get rules Jun Wan (Jul 26)

(Thread continues...)