[Snort-users] wget to snort.org fails; 301 redirect to 127.0.0.1

Joel Esler (jesler) jesler at ...589...
Fri Aug 15 12:29:58 EDT 2014


Or you could use www.snort.org<http://www.snort.org>, instead of the naked domain.

On Aug 15, 2014, at 12:28 PM, Tony Robinson <deusexmachina667 at ...11827...<mailto:deusexmachina667 at ...11827...>> wrote:

For the time being (Until Joel says this isn't an issue anymore) the work-around is very simple:

wget --user-agent "you can put anything in here" snort.org<http://snort.org/>

worked for me.


On Thu, Aug 14, 2014 at 4:36 PM, Joel Esler (jesler) <jesler at ...589...<mailto:jesler at ...589...>> wrote:
Tony,

We’re looking into the issue.  We have a ticket open to see if we can resolve the issue.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

On Aug 13, 2014, at 11:01 PM, Tony Robinson <deusexmachina667 at ...11827...<mailto:deusexmachina667 at ...11827...>> wrote:

I can confirm that a wget to https://snort.org<https://snort.org/> hangs indefinitely:

 wget https://snort.org<https://snort.org/>
--2014-08-13 22:19:36--  https://snort.org/
Resolving snort.org<http://snort.org/> (snort.org<http://snort.org/>)... 205.178.189.129
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:443... failed: Connection timed out.
Retrying.

--2014-08-13 22:21:45--  (try: 2)  https://snort.org/
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:443... failed: Connection timed out.
Retrying.

--2014-08-13 22:23:54--  (try: 3)  https://snort.org/
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:443... failed: Connection timed out.
Retrying.

--2014-08-13 22:26:04--  (try: 4)  https://snort.org/
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:443... failed: Connection timed out.
Retrying.

--2014-08-13 22:28:16--  (try: 5)  https://snort.org/
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:443... failed: Connection timed out.
Retrying.

--2014-08-13 22:30:28--  (try: 6)  https://snort.org/
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:443... failed: Connection timed out.
Retrying.

--2014-08-13 22:32:41--  (try: 7)  https://snort.org/
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:443... failed: Connection timed out.
Retrying.

--2014-08-13 22:34:56--  (try: 8)  https://snort.org/
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:443... failed: Connection timed out.
Retrying.

--2014-08-13 22:37:11--  (try: 9)  https://snort.org/
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:443... ^C

The hanging occurs regardless of whether or not I spoof the user-agent. I suspect you're correct in that the initial server that does the 301 redirect has no listener on https (443/tcp). I CAN confirm that modifying the user-agent to something even dumber than my example above (e.g. wget --user-agent "wgetbypass" snort.org<http://snort.org/>) works perfectly; follows 301, downloads index page as needed. I could just as easily modify my code to add a spoofed user-agent to wget, but I'd really like to hear from the snort.org<http://snort.org/> crew why this is a thing and if I'm in violation of some user agreement/ToS if I bypass this.


On Wed, Aug 13, 2014 at 10:51 PM, Jefferson Diego Gomes Rosa <jeffersondiego8 at ...11827...<mailto:jeffersondiego8 at ...11827...>> wrote:
As you can see on "Moved Permanently", http://snort.org<http://snort.org/> has just a redirect to https://www.snort.org<https://www.snort.org/>.

https://snort.org<https://snort.org/> hangs until timeout is reached because there is no service really listening on 443 port of this address.

I don't know why just wget's user-agent is redirected to localhost , but you can still use wget directly with https://www.snort.org<https://www.snort.org/>:

wget -c https://www.snort.org<https://www.snort.org/>


2014-08-13 23:02 GMT-03:00 Tony Robinson <deusexmachina667 at ...11827...<mailto:deusexmachina667 at ...11827...>>:
Title says it all. Anyone notice this recently?

wget snort.org<http://snort.org/>
--2014-08-13 21:42:39--  http://snort.org/
Resolving snort.org<http://snort.org/> (snort.org<http://snort.org/>)... 205.178.189.129
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://127.0.0.1<http://127.0.0.1/> [following]
--2014-08-13 21:42:39--  http://127.0.0.1/
Connecting to 127.0.0.1:80...

If I fake the user-agent with ANYTHING, it's successful:

wget --user-agent "toteslegitnotafakeUA" snort.org<http://snort.org/>
--2014-08-13 21:49:23--  http://snort.org/
Resolving snort.org<http://snort.org/> (snort.org<http://snort.org/>)... 205.178.189.129
Connecting to snort.org<http://snort.org/> (snort.org<http://snort.org/>)|205.178.189.129|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.snort.org<http://www.snort.org/> [following]
--2014-08-13 21:49:23--  http://www.snort.org/
Resolving www.snort.org<http://www.snort.org/> (www.snort.org<http://www.snort.org/>)... 50.19.124.119,
54.225.152.149, 54.243.242.66
Connecting to www.snort.org<http://www.snort.org/> (www.snort.org<http://www.snort.org/>)|50.19.124.119|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.snort.org/ [following]
--2014-08-13 21:49:24--  https://www.snort.org/
Connecting to www.snort.org<http://www.snort.org/> (www.snort.org<http://www.snort.org/>)|50.19.124.119|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34907 (34K) [text/html]
Saving to: `index.html'

100%[================================================================>]
34,907      --.-K/s   in 0.02s

2014-08-13 21:49:24 (1.76 MB/s) - `index.html' saved [34907/34907]

Cursory glance I would guess .htaccess is blacklisting wget as a user-agent.

Is there a reason for this? I use wget to pull the index page and
determine the current version of snort to download from the page. I
don't repeatedly do this, only when installing  Snort on a new
machine.

Too long;didn't read:
wget to snort.org<http://snort.org/> redirects to localhost.
wget to snort.org<http://snort.org/> with any other user-agent results in happy index.html
wget to https://snort.org<https://snort.org/> no user-agent modification hangs until
timeout is reached.

why is this a thing?

--
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



--



Best Regards,







Jefferson “Diede” Diego


















--
when does reality end? when does fantasy begin?
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!




--
when does reality end? when does fantasy begin?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140815/76ea3235/attachment.html>


More information about the Snort-users mailing list