shirkdog / pulledpork Goto Github PK

non comment lines other than disablesid, enablesid or modifysid go into pp.con

I've used this successfully on a couple of large oinkmaster.conf files

as always ymmv.

usage: perl oink-conv oinkmaster.conf


#! /usr/bin/perl -w

# simple script to convert oinkmaster conf files to the files that PulledPork 
understands... 

open(DIS, ">disabled.conf") || die "failed to open disabled file"; 
open(EN, ">enabled.conf") || die "failed to open enabled file"; 
open(MOD, ">modified.conf") || die "failed to open modified file"; 
open(PP, ">pp.conf" )|| die "failed to open pp.conf file"; 

while ( <> ) {
    chomp;
    s/^\s+//;
    next if /^#/;
    next if /^$/;
    s/(#.*)$//;   # remove comment
       $comment = $1 || '';
    if( s/^disablesid\s+//i ) {   #disablesid 184, 221, 230, 241, 251, 253, 254, 257

    print DIS "1:", join( ", 1:", split(/\s*,\s*/, $_ ) ), " # $comment\n";
    } elsif( s/^modifysid\s+//i ) {  #  modifysid 2001855  "type limit, count 1, seconds 360" | "type both, count 4, seconds 600"
    my @sids; #  = undef;
    while( s/^(\d+)// ) {
        push( @sids, $1);
        s/^\s*,\s*//;
    }
    print MOD "1:", join( ", 1:", @sids ), " $_ # $comment\n";

    } elsif( s/^enablesid\s+//i ) {
    print EN "1:", join( ", 1:", (split(/\s*,\s*/, $_ )) ), " # $comment\n";
    } else {
    print PP "$_\n";
    }
}

Hi,

first thanks for writing this great tool ;)

Since the pulledpork has emergingthreats.net rules as second option it will
be nice to have an option to include/exclude rules which triggers fwsam alerts.
Right now I try to do it this way (works for me)
disablesid.conf:
1:2000000-1:2404998

enablesid.conf
fwsam

Note I have to use 1:2404998 instead off 2404999 since it seems with ranges
there is a count by 1 difference.

What steps will reproduce the problem?
1. Use CentOS instead of Centos in the pulledpork.conf
2. Notice the .so files are not being installed

What version of the product are you using? On what operating system?
0.4.1

Please provide any additional information below.
pulledpork.conf says to use CentOS for all of the CentOS flavors, but the
rules tarballs are using Centos for some of the directories. This is just a
quick documentation fix.

I've just spent an hour tearing my hair out :)

I made a typo in the file name for the disabled sid file and the could not 
figure out why the file was apparently being ignored -- which it was for good 
reason.

A simple warning if a file is specified but not present would be nice!

Add functionality to generate sid-msg.map for all active rules?

An issue has been discovered that caused some systems to not properly check 
the MD5 value of the latest tarball against the currently running ruleset.  
This issue has been corrected in the current version checked into SVN

JJC

.

What steps will reproduce the problem?
1. Download the file since the snort.org update yesterday
2. The md5 file contents have changed
3.

What is the expected output? What do you see instead?
The md5 should match and a download should not occur if they match
Instead the contents don't contain just the absolute hash from the md5...
thus a download loop occurs

BASE provides links for [rule] and [local] that allow you to view the rule 
definition itself and the signature documentation (12634.txt for instance).  
I'd like to see an option in PP to have it copy those files to a directory 
(specified in the conf file) after unpacking the rules tarball.

This is an enhancement request -- can't figure out how to tag it as such...

I have several different sensor configurations each with multiple sensors.  I 
manage these all from a central box.  
Current set up with oinkmaster is that I have a script that checks MD5s of all 
the tarballs and download any that have changed -- I then unpack the tarballs.

I then run oinkmaster for each set of sensors and generate the rule sets and 
push them out to the sensors and restart them.

I also use both VRT and ET rules so I need multiple feeds (but I see Mike L has 
prompted you on that one :)

So what I want is an equivalent of the oinkmaster "directory" configuration 
option.  Otherwise we end up pulling the VRT rules 3 times and getting 503 and 
it will take all night :)

Thanks, Russell

What steps will reproduce the problem?
1.  If a rule has a whitespace inbetween SID: and the number, it can not be
disabled with disablesid.conf

ex.  rule 2001564 emerging-malware.rules.  

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
MarketScore.com Spyware Proxied Traffic"; flow: to_server,established;
content:"X-OSSProxy\: OSSProxy"; reference:url,www.marketscore.com;
reference:url,www.spysweeper.com/remove-marketscore.html; classtype:
policy-violation;
reference:url,doc.emergingthreats.net/bin/view/Main/2001564;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ma
rketScore;
sid: 2001564; rev:6;)


What is the expected output? What do you see instead?

it will not get disabled..

What version of the product are you using? On what operating system?

v03.4, osx 10.5.8

Please provide any additional information below.

I corrected this situation by modifing the line

                          if (($txtsid ne "") &&
($rule_line=~/sid:$txtsid;/i)) {


in the disablesid part of the script to

                          if (($txtsid ne "") &&
($rule_line=~/sid:\s*$txtsid;/i)) {

What version of the product are you using? On what operating system?
pulledpork-0.5.0 on CentOS 5.5


Please provide any additional information below.
Follow up on issue #36...

Tested the new pp with proxy and it wasn't working. Requests were not being 
sent through proxy and received the following output...


MY HTTPS PROXY = http://user:[email protected]:9090
Checking latest MD5 for snortrules-snapshot-2861.tar.gz....
    Fetching md5sum for: snortrules-snapshot-2861.tar.gz.md5
    Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2861.tar.gz.md5 at /export/scripts/pulledpork.pl line 390
    main::md5file('oinkcode', 'snortrules-snapshot-2861.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /export/scripts/pulledpork.pl line 1386


Please see below for code that is working for me. 

# set some UserAgent and other connection configs
$ua->agent("$VERSION");
# Note, this doesn't work on CentOS 5.5 (outdated LWP::UserAgent)
#$ua->show_progress(1) if $Verbose; 

# New Settings to allow proxy connections to use proper SSL formating - Thx 
pkthound!
$ua->timeout(15);
$ua->cookie_jar( {} );
$ua->protocols_allowed( [ 'http', 'https' ] );
my $proxy = $ENV{http_proxy};

if ($proxy) {
    $ua->proxy( ['http'], $proxy );

    # Check if credentials are in proxy url
    if ( $proxy =~ /^http:\/\/(.+):(.+)@(.+)$/i ) {
        my $user = $1;
        my $pass = $2;
        my $proxy = $3;

        $ENV{HTTPS_PROXY} = "http://" . $proxy;
        $ENV{HTTPS_PROXY_USERNAME} = $user;
        $ENV{HTTPS_PROXY_PASSWORD} = $pass;

        #print "Proxy: $proxy\n";
        #print "User: $user\n";
        #print "Pass: $pass\n";

   }
   else {
      $ENV{HTTPS_PROXY} = $proxy;
   }
}


Thanks

James

I use less than half the rule files from VRT and ET tarballs -- it is much 
easier for me to specify what I want than what I don't want.  It also means 
that when new rule files appear I get to choose whether to use them or not :)

I have coded this if you are interested in the patch if you want it.

For those of us that write our own rules and place them in the local.rules
file, it would be nice if pulledpork would ignore the local.rules file.

First of, thanks so much for this great script!

What steps will reproduce the problem?
1. Install a squid proxy server that requires authentication
2. On a CentOS 5.5 server, ensure you have required perl modules
3. http_proxy=http://user:[email protected]:port
4. https_proxy=http://user:[email protected]:port 
5. Run pulledpork.pl with double verbose output.

What is the expected output? What do you see instead?
I expect to have the rules downloaded and the getstore() function to return a 
200 response code. Instead, the rules fail to download and I get a 503 
response.  


What version of the product are you using? On what operating system?

Snort Server
-------------
CentOS 5.5
pulledpork-0.4.2
perl-Crypt-SSLeay-0.51-11.el5
perl-libwww-perl-5.805-1.1.1
perl-Archive-Tar-1.39.1-1.el5_5.1

Proxy Server
-------------
squid-3.0.24


Please provide any additional information below.

I'm pretty sure it's the LWP::Simple->getstore() function not behaving 
correctly with proxies and redirects. Using wget to download the rules, does 
not have the same problem. Comparing the squid logs of wget and getstore().

1) wget
TCP_MISS/302 981 GET 
http://www.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz/oinkcode 
TCP_MISS/200 20453072 CONNECT s3.amazonaws.com:443 

2) getstore()
TCP_MISS/302 981 GET 
http://www.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz/oinkcode
GET 
https://s3.amazonaws.com/snort.org/rules/20100915/snortrules-snapshot-2860.tar.g
z?...

The difference is that wget uses the CONNECT method to tunnel the ssl request 
through the proxy (after the redirect). getstore(), on the other hand, tries 
another GET request, which will always fail since we're being redirected a site 
that uses ssl.

Without using a proxy, pulledpork and getstore() work correctly as expected 
(since CONNECT is not required).

For the time being, I'll be modifying my pulledpork.pl to use wget instead of 
getstore. Thought I'd mention this issue so you were aware.

Again, thanks for this great script!

James

Need to add OpenSUSE-11-3 to the list of precompiled SO rules

What steps will reproduce the problem?
1. Not sure
2.
3.

What is the expected output? What do you see instead?
I am getting "can't exec "/etc/tmp" Permission denied at ./pl line 161"

What version of the product are you using? On what operating system?
Pulled_Pork v0.2.2 on Linux Centos 5.1

Please provide any additional information below.
It seems to be a permission issue. But the user I am running pulledpork.pl
as has all the permission to /etc/tmp.

What steps will reproduce the problem?
1. Run pulledpork to update the rules

What is the expected output? What do you see instead?
I expect the running snort process to keep on running, instead it segfaults

I run pulledpork to update the so_rules, so it then starts a separate snort
process to generate the rules, at this point, my in-line snort process dies
and traffic comes to a halt, this is undesirable.

Are there any solutions or work arounds ?

related to 35:

I've included a patch against 0.5.0 to include two new configuration options:

1/ include <list of rule files>  (works just like ignore option)
2/ Etc_path <path>   ( copy the contents of the etc director here )

1/ provides a straight forward way of mimicking including a list of files in 
rule files in snort.conf.  This ability disappeared when PP but all rules into 
a single file.

The problem as I see it is that rule categories is not equivalent to the 
original rule files as some rules are shipped in the files already disabled. 

Future request to sort the sids in the sid-msg.map file numerically. 

What steps will reproduce the problem?
1.  On a server with egress filtering, only allow outbound access to 
www.snort.org (not 
dl.snort.org).
2.  Initiate the pulledpork download.

What is the expected output? What do you see instead?
I would expect pulledpork to say that www.snort.org returned an HTTP 302 
Redirect and that it 
was attempting to download from dl.snort.org now.  Instead, it just hangs and 
eventually fails 
with:
Error 500 when fetching 
http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-
2860.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 306.

What version of the product are you using? On what operating system?
PulledPork 0.4.1 on RHEL 5

Please provide any additional information below.

Maybe a better explanation for dropsid.conf

When the -I tag is used in order to specify which policy pulled pork should run 
(security/connectivity, etc) local.rules is modified.  This should not happen.

Fix it.

JJ,

I was manually checking on my updates, so I went and ran the new version of
pulledpork and noticed I was getting the following:
"Fetching md5sum for comparing from:
http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2.8.tar.gz.md5
Error 500 when fetching
http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2.8.tar.gz.md5
at /root/pulledpork/pulledpork.pl line 262."

In order to troubleshoot, I cracked open the pulledpork.conf file and
appended my oinkcode to the end of 'base_url' and saved and re-ran the
script... this time it worked.  It seems as though the url composition in
the code is leaving out the base-url variable and trailing (or leading) /.
...I took a look at the source and in the rulefetch subroutine, I see the
logic for this is there, so it seems like the sanity check (if/then) that
looks for the existence of snort.org in the base_url is getting botched up
(perhaps a wild accusation).  I would have stepped through this with a
debugger to verify, but I didn't want you to feel like I was doing your job ;-)

Oh, and this is on Debian.

What steps will reproduce the problem?
1. Include a rules_url entry that pulls ET (emergingthreats) rules
2.
3.

What is the expected output? What do you see instead?
Expected that the SO rules file will be refreshed - it isn't

What version of the product are you using? On what operating system?
0.5.0 on Centos5.5

Please provide any additional information below.
Running without an ET rules_url entry updates the SO rules file as expected.

What steps will reproduce the problem?
1. Use of "pcre:" and other syntax in modifysid.conf is ignored
2.
3.

What is the expected output? What do you see instead?
It would be great if modifysid had the same rule matching options as the 
enablesid, disablesid and dropsid.

What version of the product are you using? On what operating system?
0.5.0 on Centos-5-5

Please provide any additional information below.

This isn't a bug, just an FYI. I'm working on a package/ebuild for pulled
pork for the Gentoo Linux distro. I thought I would mention that when the
tarball name does not match the apps version it can cause grief for package
maintainers, especially for sourced based distros like Gentoo.

ex.
pulledpork20091013.tar.gz <-> pulledpork v0.2.5

This make life easier for us...

pulledpork-0.2.5.tar.gz <-> pulledpork v0.2.5

You probably don't care but I thought I'd throw it out there any ways...

ET ruleset SID 2007929 msg field has a backslash in it.  when pulledpork makes 
the sid-msg.map it does not include any text following the backslash.

Tested on the newest svn version on pulledpork (r154).

Summary says it all

happy to submit patch :)

What steps will reproduce the problem?
1.run pp with -nodownload and ask for so_rules
2.
3.

What is the expected output? What do you see instead?

snort does not run


What version of the product are you using? On what operating system?

latest from svn

I fixed this by moving the block that calls "gen_stubbs" out of the ! 
$nodownloads and after the $nodownloads block



Please provide any additional information below.

What steps will reproduce the problem?
1. Attempt to configure pulled-pork to download from more than one ruleset, for 
example both VRT and Emerging Threats.

What is the expected output? What do you see instead?
Expect to find the ability to configure multiple base-urls, or some other way 
of configuring multiple rule-sources.  Instead, there are no such options are 
available.

What version of the product are you using? On what operating system?
0.4.2, RHEL5.

Please provide any additional information below.
VRT + supplemental ET rules is not an uncommon configuration.  It's 
straightforward to configure in oinkmaster, but currently requires quite a bit 
of hoop-jumping involving multiple pulled-pork configs working in concert.

I might be missing something, but after reading the doc's and the -h I can
not seem to find a why to actually enable a rule that is disabled by
default. If you enable a rule that is disabled by default it gets clobbered
the next time pulledpork is run.

I would like to see two options here:

-e <path to enablesid.conf> 
This would support users that just need to enable a handful of rules.

-E
This would act similar to the oinkmaster functionality to enable all rules.
Some of us prefer to enable all rules and then disable those that we have
identified as not pertinent to our environments. This actually ties into an
separate issue I'll open in a few minutes.

The order would be important here. If you use -I then -e would need to
occur after -I. This would also mean that -I and -E should not be run
together. A sanity check to ensure the same GID:SID is not in both -i and
-e might be in order or at the very least clearly document which one takes
precedence.

I've struck another issue (again because I am not doing the rule processing on 
the real sensor). This again involves the running of snort.  My current problem 
is that the box that I am running pp on is i386 but the sensors are amd64.

One option is that we throw up a new VM with the appropriate version of RHE and 
move everything over, we may well do this since we need a platform to build 
snort packages anyway.

But one thing occurs to me -- we don't need to generate the stub rules as they 
are already in the rule tarball so why does pp not use these? (as I have been 
doing up to now).

Am I missing something?

looking at the code it seems to me that I could modify extract_rules very 
easily to pull out the so_rules if the appropriate config var was set and that 
we only run snort if we really have to.

I would add config vars sensor_arch and get_so_tarball ...

This would also mean that I would not need to pass extra parameters into snort 
since I would not have to run snort.

This is kind of like what I think you might be doing for -I.

There are rules related to particular services or applications that,
depending on the environment, will never be relevant to a sensor. For
example, none of my sensors ever need to have rules enabled for anything
related to McAfee, Sophos, BrightStor, MailEnable, etc (I have a list of
40+ keywords I currently search for). Any new rules for these will always
be irrelevant unless my environment changes.

I spend a lot of time playing games with grep and cut to find rules with
these terms in the msg: section of rules and then outputting their SID to
my onikmaster.conf. Especially when deploying a new sensor.

Same holds true to some extent for reference: section of a rule (but I have
to be more careful when using this section). For example I know what
Windows servers have what patches, so if all the servers a sensor is
monitoring are up to date with patches anything in the reference: section
with a MS00, MS01, MS02...etc are not needed.

The ability to do this on the fly would be immensely helpful and cut down
on the amount of time it takes to enable/disable rules when an update is
released.

I could see two possible options here:

1) keyword.conf at run time.

Syntax: <rule option>:<keyword>
Example: msg:MailEnable

That would search only the msg: section of all rules and disable any rule
with MailEnable in it.

Pros:
Very helpful

Cons:
Increases the amount of time it would take to run Pulledpork. This actually
would not take too long if you only look for rules that are currently
enabled. Also, it would not be too bad if you implemented an oinkmaster'ish
skipfile: option in pulledpork.conf to skip entire files that you are just
going to disable in snort.conf anyway (also currently needed for
local.rules BTW...). 

2) keyword.conf non-runtime

Same syntax but instead of disabling the rule during an update send the
rule's GID:SID to disablesid.conf to be used later during an actual update. 

You would have to make a call about case sensitivity of the search in
either case. And the order it occurs in compared to -I (and -E/e from the
other issue I opened).

It would be nice if pulledpork could change rule actions:

- have a default rule action, eg: alert, drop etc.
- change only specific rule actions, eg:  sid:882 to drop

What steps will reproduce the problem?
1. Run pulledpork with -nTH -vv
2.
3.

What is the expected output? What do you see instead?

Output indicates -H option should be run with -T. -T option does not appear to 
be read.

What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. A line in modifysid.conf like:

1:469 "(.*msg:\s*\")(.*)" "${1}BLOCK: ${2}"

performs literal instead of regex substitution.

2.
3.

What is the expected output? What do you see instead?
It would be great if regex constructs could be used to insert the word BLOCK: 
at the beginning of the msg: stanza in the rule.

What version of the product are you using? On what operating system?
0.5.0 on Centos-5-5

Please provide any additional information below.

When configuring pulledpork to generate the dynamic rules from the shared
objects, it first copies the shared objects to the directory specified, but
includes the directories ('.' and '..') in the copy:

    ERROR! DOES NOT
EXIST:/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/.   Copying
/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/chat.so to
/usr/local/lib/snort_dynamicrule/chat.so
    Copying /tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/imap.so
to /usr/local/lib/snort_dynamicrule/imap.so
    ERROR! DOES NOT
EXIST:/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/..Generating 
shared
object stubs via:/usr/sbin/snort -c /etc/snort/snort.conf
--dump-dynamic-rules=/etc/snort/so_rules/

What version of the product are you using? On what operating system?
* pulledpork HEAD (rev 151), FreeBSD-7.3

Please provide any additional information below.
* attached a diff to svn rev. 151 with some corrections for typos/spell changes
* update and sort the list of so_rules to current available so_rules (sorted by 
distro) in pulledpork.(pl|conf)
* change message "Please review the Changelog ..." to
  "Please review $sid_changelog ..., if $sid_changelog is defined.

Please review the patch, I replaced some words like 'thusly' which cannot by 
found in any dictionary (I'm no native English speaker).

HI JJ

Finally got back to PP and I am now converting all my stuff from oinkmaster to 
pp in earnest.  Thanks for the nodownload -  works nicely once I moved the call 
to gen_stubs.

The other thing that I have come up against is that I am running PP in a 
different environment to what snort will run on the sensor so he paths in the 
snort.conf file are wrong.  This can be easily fixed by passing a base path to 
snort with -s BASE=.....

So what I would like is to have a new var in the pp.conf 

snort-var='BASE=.....'

Russell

Need to add an option that allows for the automatic creation of archive(backup) 
tarballs of the current ruleset when updating

I'd like to see the ability to specify the location of the disablesid and
enablesid conf files in the main conf file.

Most of the time the default order of enable first then disable works fine, 
however sometime I would like to deploy a specific set for rules on a sensor. 
Currently it is difficult to disable everything and then enable a handful of 
rules. Adding an option that lets the user define the order of operation would 
be much appreciated.

"Please review the Changelog for additional detais Fly Piggy Fly!"

should be changed to:

"Please review the Changelog for additional details.  Fly Piggy Fly!"

This was one of my contributions to oinkmaster :)

In our environment I end up modifying either source or dest addresses to reduce 
FPs as an alternative to disabling the rule outright.  I also have added 
flowbit:noalert to a bunch of rule and tweaked the thresholds on others.

I currently have about 50 modify rules...

Not sure if anyone reported this to you or not, but I seem to have a problem 
with PulledPork v0.4.2 when it builds the sid-msg.map file from the emerging 
threats rules.  Some of the rules/sid pairs are not matching what they should 
be, somehow using some of the text of the previous rule.

I've attached my sid-msg.map for you to take a look at.  sid:2008489 is an 
example, and it seems to happen with the Suspicious User Agents rules often.  
I've never seen it happen with any VRT rules.

The line from the sid-msg.map:

2008489 || ET TROJAN Win32/Antivirus2008 || 
url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Susp
icious || url,doc.emergingthreats.net/bin/view/Main/2008489

Grepping my rules files for "sid:2008489" shows me:

emerging.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; 
content:"|0d 0a|User-Agent\: dwplayer"; classtype:trojan-activity; 
reference:url,doc.emergingthreats.net/bin/view/Main/2008489; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_A
GENTS_Suspicious; sid:2008489; rev:4;)

The current version of PP does not support disabling/enabling gid's other
than 1 and 3 in disablesid.conf and enablesid.conf. Need to at lease add
gid 138 due to the new sensitive data rules.

I found an oddity with the new enable option. Probably related to enabling
ranges.

The text "# SIMILAR RULES: sid:1125" appears in the current web-misc.rules
files. I have an enable range setup in my "enablesid.conf" that includes
SID 1125 in it, so I end up with a line in my post-PP rule file that says:

SIMILAR RULES: sid:1125

Which obviously causes Snort to choke when it starts.

Apparently PP is "enabling" this comment due to the mention of the sid in it.

Might need to add a check to ensure the line is actually a rule before
removing the # comment.

I am using a version fro SVN prior to 0.5.0 -- will retest as soon as I move to 
0.5.0

What steps will reproduce the problem?
1. run pulledpork with so_rules and *no* existing snort rule file (to be 
generated by pp run).
2. get error from snort about missing rule file 
3.run PP again now that rule file has been created and all is well

What is the expected output? What do you see instead?

So stub rules should be generated after the rule files.  This means that the 
rule stub files are based on the *previous* run of oinkmaster

What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. try and run the program
2.
3.

What is the expected output? What do you see instead?
That is should update, instead, it only exists displaying the help screen,
never actually updating the rules.
Switching on -vv shows nothing

What version of the product are you using? On what operating system?
0.2.5, CentOS 5.3

Please provide any additional information below.
# pulledpork.pl -c /etc/pulledpork.conf -i /etc/disablesid.conf  -vv

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    Pulled_Pork v0.2.5
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009 JJ Cummings
  @_/        /  66\_  [email protected]
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\

Original issue reported on code.google.com by `[email protected]` on 15 Oct 2009 at 8:13

What steps will reproduce the problem?
1.  Set base_url=http://rules.emergingthreats.net/open/snort-2.8.6
2.  Run pulledpork.pl with previous ET config

What is the expected output? What do you see instead?
The files are all in the correct area, except for the MD5 sums.  An erroneous 
regex check is made to see if ET is being used.

What version of the product are you using? On what operating system?
0.4.2, CentOS 5.

Please provide any additional information below.
This patch will fix and allow for backward compatibility:
@315
+elsif ($base_url =~ /emergingthreats.net/i){
+  $getrules_md5 = 
getstore($base_url."/".$rule_file.".md5",$temp_path.$rule_file.".md5");
+}