Autosnort-Ubuntu/AVATAR fails on rule download

[jonsudo]

Hello da667,

I have been working through your Building Virtual Machine Labs book. It seems to be just the fit for college students who might have different classes in networking, software development, OSINT research, penetration testing, forensic analysis, and malware analysis. This would give them one consistent environment from which to perform a wide variety of tasks. I only wish I had found it at the beginning of my studies instead of the end. Thank you for writing it.

The only insurmountable problem I have run into is with the autosnort-ubuntu-AVATAR.sh script. It fails on 'Rule download for snort-2.9.16.1.' Your scripting prowess exceeds my ability to readily follow, so my apologies for not offering a solution. If I had to make a guess, I would say the problem is Snort deprecated ver. 2.9.16.1, but that is just a guess. I have posted my autosnort_install.log file for your review. Any recommendations?

autosnort_install.log

I have a class lab assignment that calls for Snort, but your autosubricata-deb-AVATAR.sh script executed without a hitch first time. The AFPACKET bridge works and my WinXP VM on IPS2 can get Internet (needed for this week's lab). The Professor will allow substitutions, so I am covered for this week's assignment.

This is a little off thread, but FYI purposes--I had trouble with downstream VM's accessing the Internet. pfSense did so just fine. I thought I had messed up something but then suspected they were just timing out. When I upgraded the recommended memory for the pfSense VM from 512MB to 1GB, everything worked just about as fast as it did on the pfSense machine directly. Does memory upgrade seem like a plausible explanation for what actually solved the problem or is it more likely I changed something else along the way that was the real solution?

Thanks again and I look forward to your reply,
JonSudo

[maquinde]

Hi da667,

I am having the same issue. Same error posted in OP's logs.

[andrew-kline]

I was able to bypass this issue by editing the echo "version=0.7.4" >> pulledpork.tmp line (line 468 autosnort-ubuntu-AVATAR.sh) to echo "version=0.8.0" >> pulledpork.tmp. pulled pork is now on version 8. However, getting new errors related to broken Talos links. I'll see if I can troubleshoot.
autosnort_install-ak.log

[andrew-kline]

If you change the Talos rule on line 452 in autosnort-ubuntu-AVATAR.shto echo "rule_url=https://snort.org/downloads/ip-block-list|IPBLOCKLIST|open", and change the version (comment above) to 0.8.0, it should work successfully.

[yashiwashi123]

andrew-kline

You are awesome! I have been scratching my head at this all night and by happy coincidence you happened to make your comment just 30 minutes ago.