[Snort-users] Rules updates broken?

Joel Esler (jesler) jesler at ...589...
Thu Dec 11 09:30:00 EST 2014


We have moved to Cloudflare to balance the traffic we are receiving on the site.  We had a particular user that shared an oinkcode somewhere, and as a result we were dealing with over 35 Millon downloads a day, so we had to upgrade a bit.

We have heard that older versions (or perhaps older cert trusts) of curl and wget are having a problem navigating through Cloudflare over to the site.   It’s difficult for us to pin down as our tests work, and download numbers are staying constant, however, we have had a few people (like yourselves) say you can’t reach the site.

I suggest the above.  (versions of curl/wget/cert trusts) and let me know your results.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos





> On Dec 11, 2014, at 5:58 AM, elof at ...6680... wrote:
> 
> 
> I too have this annoying issue.
> 
> wget -v --debug 'https://www.snort.org/'
> DEBUG output created by Wget 1.13.4 on linux-gnu.
> 
> URI encoding = `UTF-8'
> --2014-12-10 11:49:27--  https://www.snort.org/
> Resolving www.snort.org (www.snort.org)... 104.28.24.35, 104.28.25.35, 
> 2400:cb00:2048:1::681c:1823, ...
> Caching www.snort.org => 104.28.24.35 104.28.25.35 
> 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923
> Connecting to www.snort.org (www.snort.org)|104.28.24.35|:443... 
> connected.
> Created socket 4.
> Releasing 0x0000000002278790 (new refcount 1).
> GnuTLS: A TLS fatal alert has been received.
> Closed fd 4
> Unable to establish SSL connection.
> 
> 
> 
> If you use Debian Stable you get wget 1.13.4.
> Googling the error message hints that you need wget >= 1.15.
> 
> 
> Do anyone have a workaround? I don't want to compile the latest wget 
> manually, since this breaks the ability to easily keep everything 
> up to date with 'apt-get upgrade'.
> 
> /Elof
> 
> 
> On Wed, 10 Dec 2014, waldo kitty wrote:
> 
>> On 12/10/2014 6:56 PM, Cary Townsend wrote:
>>> Hi All,
>>> 
>>> We use wget to obtain rule updates from snort.org with our oink code, but it
>>> is now broken.  Apparently, snort.org is now behind cloudflare, which denies
>>> direct IP access.  Basically, the cert wget ultimately receives is
>>> cloudflare's cert, not snort.org's.  A web browser seems to get redirected
>>> somehow to the real snort site and gets the snort.org cert.  Thoughts?
>> 
>> wget works fine over here...  we've not seen any problems using it other than a
>> few niggles here and there that were easily taken care of...
>> 
>> do you perhaps mean amazonaws instead of cloudfare?
>> 
>> what url are you using to get the rules? (obfuscate your oinkcode)
>> 
>> what version of snort are you trying to get rules for?
>> 
>> --
>> NOTE: No off-list assistance is given without prior approval.
>>       Please *keep mailing list traffic on the list* unless
>>       private contact is specifically requested and granted.
>> 
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141211/9c122ff8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141211/9c122ff8/attachment.bin>


More information about the Snort-users mailing list