[Snort-users] PulledPork 500 error

Dave Corsello snort-users at ...15598...
Wed Apr 16 09:55:58 EDT 2014


Pulledpork runs daily.  It's good to know that VRT didn't blacklist the
server.  But the question of how it got into my blacklist remains.  Is
the Amazon server in question a legitimate part of your rules delivery
system?  If so, is it possible that the list gets altered somehow when
it's handed off to Amazon?  What possible hack scenario could account
for the address being added to my blacklist only?

Come to think of it, this isn't the first time this has happened.  When
I first implemented the reputation preprocessor, the IP addresses
23.23.143.164 and 23.23.152.48 were blacklisted, and this caused
pulledpork to fail.  At that time, I added those addresses to my
whitelist as a work around.  So, given that this happened right off the
bat, it seems less likely to me that my system in particular has been
hacked.

On 4/16/2014 9:29 AM, Joel Esler (jesler) wrote:
> Yeah, I’m not understanding that either.  That IP is not on our
> blacklist.  How often do you update the IP blacklist?
>
> --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Vulnerability Research Team
>
> On Apr 16, 2014, at 9:19 AM, Dave Corsello
> <snort-users at ...15598...
> <mailto:snort-users at ...15598...>> wrote:
>
>> Any thoughts on this?
>>
>> I'm able to get pulledpork to run successfully by adding 23.23.165.79
>> to my whitelist.  But my concern is that pulledpork or my DNS has
>> been hijacked to pull info from a server that VRT has intentionally
>> blacklisted.  The other possibility is that the IP was added in error
>> to the blacklist.
>>
>> Am I the only person whose blacklist contains 23.23.165.79?  If so,
>> then I clearly have big problems.  The fact that no one else is
>> reporting pulledpork failures indicates that this might be the case,
>> although it could also indicate that few open source users are using
>> Snort inline...
>>
>> On 4/15/2014 11:01 AM, Dave Corsello wrote:
>>> Sorry again for the confusion.  23.23.165.79 is included in my
>>> default.blacklist file, which is maintained by pulledpork.
>>>
>>> Pulledpork is configured to get the blacklist from labs.snort.org
>>> <http://labs.snort.org>.  Is that the way it should be configured?
>>>
>>> It looks like labs.snort.org <http://labs.snort.org> is handing the
>>> request off to an Amazon server at the IP address in question.  Is
>>> that the way it's supposed to work?
>>>
>>> On 4/13/2014 12:10 AM, Dave Corsello wrote:
>>>> My apologies.  I can't find the IP address in any backup of the IP
>>>> blacklist.  I assumed the address must have been in the blacklist
>>>> because of the following alerts in BASE:
>>>>
>>>> 	#4-(2-1375)
>>>> <http://base2.wintertreemedia.com/base_qry_alert.php?submit=%234-%282-1375%29&sort_order=time_a>
>>>> 	[snort <http://www.snort.org/search/sid/136-1>] reputation: Packet
>>>> is blacklisted 	2014-04-11 XX:XX:XX 	XX.XX.XX.XX
>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:56579
>>>> 	23.23.165.79
>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
>>>> 	TCP
>>>> 	#5-(2-1376)
>>>> <http://base2.wintertreemedia.com/base_qry_alert.php?submit=%235-%282-1376%29&sort_order=time_a>
>>>> 	[snort <http://www.snort.org/search/sid/136-1>] reputation: Packet
>>>> is blacklisted 	2014-04-11 XX:XX:XX 	XX.XX.XX.XX
>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:56579
>>>> 	23.23.165.79
>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
>>>> 	TCP
>>>> 	#6-(1-45791)
>>>> <http://base2.wintertreemedia.com/base_qry_alert.php?submit=%236-%281-45791%29&sort_order=time_a>
>>>> 	[snort <http://www.snort.org/search/sid/136-1>] reputation: Packet
>>>> is blacklisted 	2014-04-11 XX:XX:XX 	XX.XX.XX.XX
>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:43678
>>>> 	23.23.165.79
>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
>>>> 	TCP
>>>> 	#7-(1-45792)
>>>> <http://base2.wintertreemedia.com/base_qry_alert.php?submit=%237-%281-45792%29&sort_order=time_a>
>>>> 	[snort <http://www.snort.org/search/sid/136-1>] reputation: Packet
>>>> is blacklisted 	2014-04-11 XX:XX:XX 	XX.XX.XX.XX
>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:43678
>>>> 	23.23.165.79
>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
>>>> 	TCP
>>>>
>>>>
>>>> Internal IPs and times are obscured.  It appears that neither
>>>> source nor destination IPs should have been blacklisted, but BASE
>>>> reports them as having been blacklisted by Snort.  The packets were
>>>> dropped;  the times and internal IPs correspond to the failed
>>>> pulledpork jobs.
>>>>
>>>> On 4/12/2014 9:28 AM, Joel Esler (jesler) wrote:
>>>>> The ip blacklist?
>>>>>
>>>>> --
>>>>> Joel Esler
>>>>> Sent from my iPhone
>>>>>
>>>>>> On Apr 12, 2014, at 7:05, "Dave Corsello" <snort-users at ...15598...> wrote:
>>>>>>
>>>>>> The problem is that the IP address of the Amazon server from which
>>>>>> PulledPork pulls VRT rules was added by VRT to the default blacklist. 
>>>>>> Any ideas why they might have done this?
>>>>>>
>>>>>>
>>>>>>> On 4/11/2014 2:20 PM, waldo kitty wrote:
>>>>>>>> On 4/11/2014 10:41 AM, Dave Corsello wrote:
>>>>>>>> I got the following error in PulledPork last night:  "A 500 error
>>>>>>>> occurred, please verify that you have recently updated your root
>>>>>>>> certificates!"  I made no changes.  Any ideas what might be happening?
>>>>>>> "root certificates" sounds like ssl certificates... heartbleed... wanna bet that 
>>>>>>> some certificates have been updated during heartbleed remediation and you now 
>>>>>>> need to update the certificates your system(s) use...
>>>>>> ------------------------------------------------------------------------------
>>>>>> Put Bad Developers to Shame
>>>>>> Dominate Development with Jenkins Continuous Integration
>>>>>> Continuously Automate Build, Test & Deployment 
>>>>>> Start a new project now. Try Jenkins in the cloud.
>>>>>> http://p.sf.net/sfu/13600_Cloudbees
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Put Bad Developers to Shame
>>>> Dominate Development with Jenkins Continuous Integration
>>>> Continuously Automate Build, Test & Deployment 
>>>> Start a new project now. Try Jenkins in the cloud.
>>>> http://p.sf.net/sfu/13600_Cloudbees
>>>>
>>>>
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>> http://p.sf.net/sfu/NeoTech
>>>
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and
>> their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/NeoTech_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140416/0b92b8ae/attachment.html>


More information about the Snort-users mailing list