[Snort-users] PulledPork 500 error

Dave Corsello snort-users at ...15598...
Wed Apr 16 10:38:23 EDT 2014


Okay, I just verified that 23.23.165.79 is blacklisted at another
location.  So, it's not just my system.

On 4/16/2014 10:20 AM, Joel Esler (jesler) wrote:
> Possibly.  We changed load balancers recently because of increased
> downloads, but that’s it.
>
>
> On Apr 16, 2014, at 9:55 AM, Dave Corsello
> <snort-users at ...15598...
> <mailto:snort-users at ...15598...>> wrote:
>
>> Pulledpork runs daily.  It's good to know that VRT didn't blacklist
>> the server.  But the question of how it got into my blacklist
>> remains.  Is the Amazon server in question a legitimate part of your
>> rules delivery system?  If so, is it possible that the list gets
>> altered somehow when it's handed off to Amazon?  What possible hack
>> scenario could account for the address being added to my blacklist only?
>>
>> Come to think of it, this isn't the first time this has happened. 
>> When I first implemented the reputation preprocessor, the IP
>> addresses 23.23.143.164 and 23.23.152.48 were blacklisted, and this
>> caused pulledpork to fail.  At that time, I added those addresses to
>> my whitelist as a work around.  So, given that this happened right
>> off the bat, it seems less likely to me that my system in particular
>> has been hacked.
>>
>> On 4/16/2014 9:29 AM, Joel Esler (jesler) wrote:
>>> Yeah, I’m not understanding that either.  That IP is not on our
>>> blacklist.  How often do you update the IP blacklist?
>>>
>>> --
>>> *Joel Esler*
>>> Open Source Manager
>>> Threat Intelligence Team Lead
>>> Vulnerability Research Team
>>>
>>> On Apr 16, 2014, at 9:19 AM, Dave Corsello
>>> <snort-users at ...15598...
>>> <mailto:snort-users at ...15598...>> wrote:
>>>
>>>> Any thoughts on this?
>>>>
>>>> I'm able to get pulledpork to run successfully by adding
>>>> 23.23.165.79 to my whitelist.  But my concern is that pulledpork or
>>>> my DNS has been hijacked to pull info from a server that VRT has
>>>> intentionally blacklisted.  The other possibility is that the IP
>>>> was added in error to the blacklist.
>>>>
>>>> Am I the only person whose blacklist contains 23.23.165.79?  If so,
>>>> then I clearly have big problems.  The fact that no one else is
>>>> reporting pulledpork failures indicates that this might be the
>>>> case, although it could also indicate that few open source users
>>>> are using Snort inline...
>>>>
>>>> On 4/15/2014 11:01 AM, Dave Corsello wrote:
>>>>> Sorry again for the confusion.  23.23.165.79 is included in my
>>>>> default.blacklist file, which is maintained by pulledpork.
>>>>>
>>>>> Pulledpork is configured to get the blacklist from labs.snort.org
>>>>> <http://labs.snort.org/>.  Is that the way it should be configured?
>>>>>
>>>>> It looks like labs.snort.org <http://labs.snort.org/> is handing
>>>>> the request off to an Amazon server at the IP address in
>>>>> question.  Is that the way it's supposed to work?
>>>>>
>>>>> On 4/13/2014 12:10 AM, Dave Corsello wrote:
>>>>>> My apologies.  I can't find the IP address in any backup of the
>>>>>> IP blacklist.  I assumed the address must have been in the
>>>>>> blacklist because of the following alerts in BASE:
>>>>>>
>>>>>> 	#4-(2-1375)
>>>>>> <http://base2.wintertreemedia.com/base_qry_alert.php?submit=%234-%282-1375%29&sort_order=time_a>
>>>>>> 	[snort <http://www.snort.org/search/sid/136-1>] reputation:
>>>>>> Packet is blacklisted 	2014-04-11 XX:XX:XX 	XX.XX.XX.XX
>>>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:56579
>>>>>> 	23.23.165.79
>>>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
>>>>>> 	TCP
>>>>>> 	#5-(2-1376)
>>>>>> <http://base2.wintertreemedia.com/base_qry_alert.php?submit=%235-%282-1376%29&sort_order=time_a>
>>>>>> 	[snort <http://www.snort.org/search/sid/136-1>] reputation:
>>>>>> Packet is blacklisted 	2014-04-11 XX:XX:XX 	XX.XX.XX.XX
>>>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:56579
>>>>>> 	23.23.165.79
>>>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
>>>>>> 	TCP
>>>>>> 	#6-(1-45791)
>>>>>> <http://base2.wintertreemedia.com/base_qry_alert.php?submit=%236-%281-45791%29&sort_order=time_a>
>>>>>> 	[snort <http://www.snort.org/search/sid/136-1>] reputation:
>>>>>> Packet is blacklisted 	2014-04-11 XX:XX:XX 	XX.XX.XX.XX
>>>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:43678
>>>>>> 	23.23.165.79
>>>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
>>>>>> 	TCP
>>>>>> 	#7-(1-45792)
>>>>>> <http://base2.wintertreemedia.com/base_qry_alert.php?submit=%237-%281-45792%29&sort_order=time_a>
>>>>>> 	[snort <http://www.snort.org/search/sid/136-1>] reputation:
>>>>>> Packet is blacklisted 	2014-04-11 XX:XX:XX 	XX.XX.XX.XX
>>>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:43678
>>>>>> 	23.23.165.79
>>>>>> <http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
>>>>>> 	TCP
>>>>>>
>>>>>>
>>>>>> Internal IPs and times are obscured.  It appears that neither
>>>>>> source nor destination IPs should have been blacklisted, but BASE
>>>>>> reports them as having been blacklisted by Snort.  The packets
>>>>>> were dropped;  the times and internal IPs correspond to the
>>>>>> failed pulledpork jobs.
>>>>>>
>>>>>> On 4/12/2014 9:28 AM, Joel Esler (jesler) wrote:
>>>>>>> The ip blacklist?
>>>>>>>
>>>>>>> --
>>>>>>> Joel Esler
>>>>>>> Sent from my iPhone
>>>>>>>
>>>>>>>> On Apr 12, 2014, at 7:05, "Dave Corsello" <snort-users at ...15598...> wrote:
>>>>>>>>
>>>>>>>> The problem is that the IP address of the Amazon server from which
>>>>>>>> PulledPork pulls VRT rules was added by VRT to the default blacklist. 
>>>>>>>> Any ideas why they might have done this?
>>>>>>>>
>>>>>>>>
>>>>>>>>> On 4/11/2014 2:20 PM, waldo kitty wrote:
>>>>>>>>>> On 4/11/2014 10:41 AM, Dave Corsello wrote:
>>>>>>>>>> I got the following error in PulledPork last night:  "A 500 error
>>>>>>>>>> occurred, please verify that you have recently updated your root
>>>>>>>>>> certificates!"  I made no changes.  Any ideas what might be happening?
>>>>>>>>> "root certificates" sounds like ssl certificates... heartbleed... wanna bet that 
>>>>>>>>> some certificates have been updated during heartbleed remediation and you now 
>>>>>>>>> need to update the certificates your system(s) use...
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> Put Bad Developers to Shame
>>>>>>>> Dominate Development with Jenkins Continuous Integration
>>>>>>>> Continuously Automate Build, Test & Deployment 
>>>>>>>> Start a new project now. Try Jenkins in the cloud.
>>>>>>>> http://p.sf.net/sfu/13600_Cloudbees
>>>>>>>> _______________________________________________
>>>>>>>> Snort-users mailing list
>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>> Snort-users list archive:
>>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>>>
>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Put Bad Developers to Shame
>>>>>> Dominate Development with Jenkins Continuous Integration
>>>>>> Continuously Automate Build, Test & Deployment 
>>>>>> Start a new project now. Try Jenkins in the cloud.
>>>>>> http://p.sf.net/sfu/13600_Cloudbees
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Learn Graph Databases - Download FREE O'Reilly Book
>>>>> "Graph Databases" is the definitive new guide to graph databases and their
>>>>> applications. Written by three acclaimed leaders in the field,
>>>>> this first edition is now available. Download your free book today!
>>>>> http://p.sf.net/sfu/NeoTech
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Learn Graph Databases - Download FREE O'Reilly Book
>>>> "Graph Databases" is the definitive new guide to graph databases
>>>> and their
>>>> applications. Written by three acclaimed leaders in the field,
>>>> this first edition is now available. Download your free book today!
>>>> http://p.sf.net/sfu/NeoTech_______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the
>>>> latest Snort news!
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140416/a8ae4757/attachment.html>


More information about the Snort-users mailing list