Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2910.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 516. | pulledpork.pl - generating incorrect URL for download

[alextomko]

The pulledpork.pl script is deciding to put in the incorrect URL to download snort rules with. The correct url is:

https://www.snort.org/rules/snortrules-snapshot-29110.tar.gz?oinkcode=myoinkcode

Instead it is trying to download a file that does not exist:

	Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2910.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 516.
	main::md5file("myoinkcode", "snortrules-snapshot-2910.tar.gz", "/tmp/", "https://www.snort.org/reg-rules/") called at /usr/local/bin/pulledpork.pl line 1938

Any reason why it is not putting in the correct URL? When I go to download the correct file-name with 29110 instead of 2910 it downloads with my oinkcode just fine.

[shirkdog]

As long as you have the latest version of pulledpork, you should be able to pull down the 2.9.11.0 and 2.9.11.1 rulesets. HTTP 422 errors normally point to an EOL Snort version you are trying to fetch rulesets for. Pulledpork will try to discover the version of Snort you are using, and this is also a configuration item.

[alextomko]

Well how do I make it try to pull the correct rule set - you can see the URL it is trying to get is wrong.
It tries to get "https://www.snort.org/reg-rules/snortrules-snapshot-2910.tar.gz.md5" - which does not exist. If I manually try the file with "https://www.snort.org/rules/snortrules-snapshot-29110.tar.gz.md5?oinkcode=myoinkcode" it downloads fine. So it is trying a url with reg-rules when it should be rules by itself and 2910 when it should be 29110.

[shirkdog]

What is snort_version set to in the pulledpork.conf?

If not, add -S 2.9.11.0 to your command line and see if that works.

[alextomko]

Adding snort_version= in config fixed some of the downloads but I am down to the last one emergingthreats and it will not work in the pulledpork.pl script. I went to their website and it works fine if I get the actual URL.

By Default in the pulledpork.conf causes a Error 429.

rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open

The working URL is:

https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz

I have tried variations of: but cant get it to put in the correct URL.

rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|snort-2.9.0
rule_url=https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz

[alextomko]

I could get snortrules-snapshot community and ip-filter or blacklist to download but the others fail:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|oinkcode
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=http://talosintel.com/feeds/ip-ilter.blf|IPBLACKLIST

Cannot get opensource.gz or emergingthreats to download from pulledpork.pl. I can download the files if I put the actual URL into a browser though.

rule_url=https://www.snort.org/rules/|opensource.gz|oinkcode
rule_url=https://rules.emergingthreats.net/|snort-2.9.0|emerging.rules.tar.gz|open

[masbrows]

hi, i have same error,

$ sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
 
    https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2015 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2910.tar.gz....
	Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2910.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 516.
	main::md5file("da2934489a1c9d7cb4b5deccf0af1853ef9a702b", "snortrules-snapshot-2910.tar.gz", "/tmp/", "https://www.snort.org/reg-rules/") called at /usr/local/bin/pulledpork.pl line 1938

[masbrows]

solved with PulledPork v0.7.3 https://github.com/shirkdog/pulledpork/tree/0.7.3

[finchy]

Since lots of people Google this.. If you are attempting to download a ruleset and you get 422 back as a response from Snort.org, that means you are attempting to download a version of the ruleset that doesn't exist anymore. Please update your version of Snort.

[terafilgit]

Hi finchy,
I've read a lot about snort 2.9/3 in pfsense and for now snort 3 is not supported. There is a path where I can manually put the ruleset in pfsense 2.5.2?
I am in this situation:

[finchy]

I have no idea