snort-users October 2011 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Snort Wget Failure (can't resolve

Re: [Snort-users] Snort Wget Failure (can't resolve www.snort.org)

From: Carney, Megan <Megan.Carney_at_nospam>
Date: Thu Oct 06 2011 - 16:12:56 GMT
To: "snort-users@lists.sourceforge.net" <snort-users@lists.sourceforge.net>

I haven't had this exact problem but I have had odd problems downloading the rulesets.

I use oinkmaster to manage the rulesets and when I run the command to update the rules (/usr/sbin/oinkmaster -i -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules/ -b /etc/snort/backup/) I get this error:
/usr/sbin/oinkmaster: Error: incorrect URL: "http://www.snort.org/sub-rules/snortrules-snapshot-2905.tar.gz/[redacted]/

But if I visit that URL manually with wget the ruleset downloads just fine.

Sorry I can't help with your specific problem. . .but I thought it might help if you knew you're not the only one having odd issues with downloading the rulesets.

From: Todd Booth [mailto:todd.booth@ltu.se]
Sent: Friday, September 23, 2011 3:53 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort Wget Failure (can't resolve www.snort.org)

Hello,

I've configured snort, on my Vyatta network/security device but the initial downloading of rules fails. I surfed the net and see other users (without Vyatta) are having the same problems.

Here is the initial wget

wget http://www.snort.org/pub-bin/oinkmaster.cgi/<my snort oink code>/snortrules-snapshot-2905.tar.gz<http://www.snort.org/pub-bin/oinkmaster.cgi/%3cmy%20snort%20oink%20code%3e/snortrules-snapshot-2905.tar.gz>

Here is the error:

--2011-09-23 08:45:27-- http://www.snort.org/pub-bin/oinkmaster.cgi/<my<http://www.snort.org/pub-bin/oinkmaster.cgi/%3cmy> snort oink code>/snortrules-snapshot-2905.tar.gz
Resolving www.snort.org<http://www.snort.org>... failed: Name or service not known.
wget: unable to resolve host address `www.snort.org'

However if I ping www.snort.org<http://www.snort.org> from my Vyatta, I get the ip address resolved as 68.177.102.20

So in my new wget, I replaced www.snort.org<http://www.snort.org> with 68.177.102.20, as follows

vyatta_at_Vyatta1:~$ wget http://68.177.102.20/pub-bin/oinkmaster.cgi/<my<http://68.177.102.20/pub-bin/oinkmaster.cgi/%3cmy> oink code>/snortrules-snapshot-2905.tar.gz
--2011-09-23 07:55:21-- http://68.177.102.20/pub-bin/oinkmaster.cgi/<my<http://68.177.102.20/pub-bin/oinkmaster.cgi/%3cmy> oink code>/snortrules-snapshot-2905.tar.gz
Connecting to 68.177.102.20:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://s3.amazonaws.com/snort-org/www/rules/20110823/snortrules-snapshot-2905.tar.gz?AWSAccessKeyId=<key>&Expires=1316764830&Signature<http://s3.amazonaws.com/snort-org/www/rules/20110823/snortrules-snapshot-2905.tar.gz?AWSAccessKeyId=%3ckey%3e&Expires=1316764830&Signature>=
JUAQj%2Bn1Y65X3zmVFuq6ozSlPUo%3D [following]
--2011-09-23 07:55:24-- http://s3.amazonaws.com/snort-org/www/rules/20110823/sn
ortrules-snapshot-2905.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=131676
4830&Signature=JUAQj%2Bn1Y65X3zmVFuq6ozSlPUo%3D
Resolving s3.amazonaws.com... failed: Name or service not known.
wget: unable to resolve host address `s3.amazonaws.com'

So I do a wget to www.snort.org<http://www.snort.org> and I get referred to s3.amazonaws.com

However s3.amazonaws.com is also not resolved. So I try ping and get the s3.amazonaw.com ip address address and plug that in to the above 2nd wget

wget http://72.21.211.173/snort-org/www/rules/20110823/snortrules-snapshot-2905.tar.gz?<key>&Expires=1316764830&Signature=JUAQj%2Bn1Y65X3zmVFuq6ozSlPUo%3D<http://72.21.211.173/snort-org/www/rules/20110823/snortrules-snapshot-2905.tar.gz?%3ckey%3e&Expires=1316764830&Signature=JUAQj%2Bn1Y65X3zmVFuq6ozSlPUo%3D>

Then I get the following error:
HTTP request sent, awaiting response... 403 Forbidden
2011-09-23 08:50:47 ERROR 403: Forbidden.

Is this a problem with wget? Or is this a problem with the configuration at www.snort.org<http://www.snort.org>?

Thanks and Regards,
[Description: Description: cid:image002.jpg@01CB97C3.BFF2AC00][Description: Description: Description: Description: cid:image002.png@01CB3D84.E32FF720]

[Description: Description: Description: Description: cid:image003.png_at_01CB3D84.E32FF720]<http://ltu.se/> LuleŚ Technology University<http://ltu.se/>
Teacher, Research Engineer and Lecturer Todd Booth

Department<http://www.ltu.se/org/srt?l=en>: Computer Science, Electrical and Space Engineering, CSEE (SKE/SRT)
Division<http://www.ltu.se/org/srt/Avdelningar/Datavetenskap?l=en>: Computer Science
Specialty: Computer and System Science / Information Security<http://www.ltu.se/edu/program/FMISA?l=en>
Courses: A0004N Information Security<http://www.ltu.se/edu/course/A00/A0004N?l=en> and A7011N Internet Security<http://www.ltu.se/edu/course/A70/A7011N?l=en>

Direct: +46-910-585 324
Mobile: +46-76-346 3459
Email: Todd.Booth@LTU.se<mailto:Todd.Booth@LTU.se>
Web: http://LTU.se<http://ltu.se/>
LinkedIn: Todd.Booth@LTU.se<mailto:Todd.Booth@LTU.se>

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!