[Snort-users] Rules updates broken?

Doug Burks doug.burks at ...11827...
Thu Dec 11 10:22:33 EST 2014


Hi Joel,

Pulledpork 0.7 on Ubuntu 12.04 results in the following:

Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED
==> 500 Can't connect to www.snort.org:443 (certificate verify failed)
Error 500 when fetching
https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at
pulledpork.pl line 463.
main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz",
"/tmp/", "https://www.snort.org/reg-rules/") called at pulledpork.pl
line 1847

Thanks!

On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <jesler at ...589...> wrote:
> We have moved to Cloudflare to balance the traffic we are receiving on the
> site.  We had a particular user that shared an oinkcode somewhere, and as a
> result we were dealing with over 35 Millon downloads a day, so we had to
> upgrade a bit.
>
> We have heard that older versions (or perhaps older cert trusts) of curl and
> wget are having a problem navigating through Cloudflare over to the site.
> It’s difficult for us to pin down as our tests work, and download numbers
> are staying constant, however, we have had a few people (like yourselves)
> say you can’t reach the site.
>
> I suggest the above.  (versions of curl/wget/cert trusts) and let me know
> your results.
>
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
>
>
>
>
>
> On Dec 11, 2014, at 5:58 AM, elof at ...6680... wrote:
>
>
> I too have this annoying issue.
>
> wget -v --debug 'https://www.snort.org/'
> DEBUG output created by Wget 1.13.4 on linux-gnu.
>
> URI encoding = `UTF-8'
> --2014-12-10 11:49:27--  https://www.snort.org/
> Resolving www.snort.org (www.snort.org)... 104.28.24.35, 104.28.25.35,
> 2400:cb00:2048:1::681c:1823, ...
> Caching www.snort.org => 104.28.24.35 104.28.25.35
> 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923
> Connecting to www.snort.org (www.snort.org)|104.28.24.35|:443...
> connected.
> Created socket 4.
> Releasing 0x0000000002278790 (new refcount 1).
> GnuTLS: A TLS fatal alert has been received.
> Closed fd 4
> Unable to establish SSL connection.
>
>
>
> If you use Debian Stable you get wget 1.13.4.
> Googling the error message hints that you need wget >= 1.15.
>
>
> Do anyone have a workaround? I don't want to compile the latest wget
> manually, since this breaks the ability to easily keep everything
> up to date with 'apt-get upgrade'.
>
> /Elof
>
>
> On Wed, 10 Dec 2014, waldo kitty wrote:
>
> On 12/10/2014 6:56 PM, Cary Townsend wrote:
>
> Hi All,
>
> We use wget to obtain rule updates from snort.org with our oink code, but it
> is now broken.  Apparently, snort.org is now behind cloudflare, which denies
> direct IP access.  Basically, the cert wget ultimately receives is
> cloudflare's cert, not snort.org's.  A web browser seems to get redirected
> somehow to the real snort site and gets the snort.org cert.  Thoughts?
>
>
> wget works fine over here...  we've not seen any problems using it other
> than a
> few niggles here and there that were easily taken care of...
>
> do you perhaps mean amazonaws instead of cloudfare?
>
> what url are you using to get the rules? (obfuscate your oinkcode)
>
> what version of snort are you trying to get rules for?
>
> --
> NOTE: No off-list assistance is given without prior approval.
>       Please *keep mailing list traffic on the list* unless
>       private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!




More information about the Snort-users mailing list