Snort mailing list archives
Re: Intermittent Pulled Pork Error
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 17 Feb 2011 10:28:32 -0500
I'll let JJ address the PP area, However, you are correct. That's one of the advantages of PulledPork is that it checks the md5 to see if there is a different in the ruleset before an attempted download. My reason for asking is because we generally only release rules, probably twice a week. (sometimes more, depending on what's going on) Joel On Feb 17, 2011, at 8:29 AM, Weir, Jason wrote:
Unless I'm incorrect - I'm only pulling rules when the md5 hash file has changed... I do have PP checking every couple hours (cron) for an updated md5. I know that's way more often then you push updates, but it should have no effect on the file availability... FYI - overnight PP fetching the 2.9.0.4 rules failed half the time, another sensor still using oinkmaster fetching the 2.8.6.1 rules worked without error every time.. So maybe this is a PP problem??? -J-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, February 16, 2011 10:04 PM To: Weir, Jason Cc: Nigel Houghton; Snort Users Subject: Re: [Snort-users] Intermittent Pulled Pork Error We shouldn't. We've notified the web-team. How often are you trying to pull rule updates? Just out of curiosity. -- Sent from my iPad Please excuse the brevity On Feb 16, 2011, at 4:04 PM, "Weir, Jason" <jason.weir () nhrs org> wrote:Nigel, I changed the rules file name to snortrules-snapshot-edge.tar.gz as indicated below and I'm intermittently still getting the 500 error.. "Error 500 when fetchinghttps://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at/usr/local/bin/pulledpork.pl line 390" Just tried it manually and it worked fine... You guyshaving a deliveryproblem? -J-----Original Message----- From: Nigel Houghton [mailto:nhoughton () sourcefire com] Sent: Wednesday, February 16, 2011 1:38 PM To: Weir, Jason Cc: Snort Users Subject: Re: [Snort-users] Intermittent Pulled Pork Error On Wed, 16 Feb 2011 13:32:45 -0500, Nigel Houghton wrote:On Wed, 16 Feb 2011 13:05:09 -0500, Weir, Jason wrote:Doesn't happen all of the time... Error 500 when fetchinghttps://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at/usr/local/bin/pulledpork.pl line 390 -JThat's not a PulledPork error, that's a website error. Thefile isn'tthere, which strictly speaking shouldn't be a 500 servererror, butsince the application that handles looking for the filecan't find it,the server will return the application error instead of a404 not found.With that said, I'll forward this to our Snort web team for investigation.Actually, no I won't. After looking at snort.org I see that the 2.9.0.4 rule set is not yet available for registered users. So,you'll get a404 (or 500) for the rules file too. You can fix this for future use by using snortrules-snapshot-edge.tar.gz as the name of your rulesfile. Thatway, you will get the latest version of rules for either registered or subscriber rules automatically. Right now, for registeredusers thiswill be a 2.9.0.3 rule set. Which should work with 2.9.0.4. Now, per the rules of the drinking game, I will be taking a shot or two for replying to my own email. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/_____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Intermittent Pulled Pork Error, (continued)
- Re: Intermittent Pulled Pork Error Nigel Houghton (Feb 16)
- Re: Intermittent Pulled Pork Error Weir, Jason (Feb 16)
- Re: Intermittent Pulled Pork Error Nigel Houghton (Feb 16)
- Re: Intermittent Pulled Pork Error Weir, Jason (Feb 16)
- Re: Intermittent Pulled Pork Error JJC (Feb 16)
- Re: Intermittent Pulled Pork Error Weir, Jason (Feb 16)
- Re: Intermittent Pulled Pork Error Chris Jacob (Feb 16)
- Re: Intermittent Pulled Pork Error Weir, Jason (Feb 16)
- Re: Intermittent Pulled Pork Error Joel Esler (Feb 16)
- Re: Intermittent Pulled Pork Error Weir, Jason (Feb 17)
- Re: Intermittent Pulled Pork Error Joel Esler (Feb 17)
- Re: Intermittent Pulled Pork Error Weir, Jason (Feb 17)
- Re: Intermittent Pulled Pork Error Joel Esler (Feb 17)
- Re: Intermittent Pulled Pork Error waldo kitty (Feb 17)
- Re: Intermittent Pulled Pork Error JJ Cummings (Feb 17)
- Re: Intermittent Pulled Pork Error waldo kitty (Feb 18)
- Re: Intermittent Pulled Pork Error Joel Esler (Feb 19)
- Re: Intermittent Pulled Pork Error waldo kitty (Feb 19)
- Re: Intermittent Pulled Pork Error Nigel Houghton (Feb 16)
- Re: Intermittent Pulled Pork Error Randal T. Rioux (Feb 18)
- Re: Intermittent Pulled Pork Error waldo kitty (Feb 18)
- Re: Intermittent Pulled Pork Error JJ Cummings (Feb 17)