[Snort-users] Rules updates broken?

René Bauer r.bauer at ...17041...
Thu Dec 11 11:09:04 EST 2014


Hi Guys,

we can confirm the following:
Ubuntu 14.04:
* pulledpork: OK
* wget: OK
* curl: OK

wget -V:
GNU Wget 1.15 übersetzt unter linux-gnu.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl

Wgetrc:
     /etc/wgetrc (System)
Lokale:
     /usr/share/locale
Übersetzt:
     gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
     -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib
     -I../../lib -D_FORTIFY_SOURCE=2 -I/usr/include -g -O2
     -fstack-protector --param=ssp-buffer-size=4 -Wformat
     -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall
Gebunden:
     gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
     -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall
     -Wl,-Bsymbolic-functions -Wl,-z,relro -L/usr/lib -lssl -lcrypto
     -ldl -lz -lidn -luuid ftp-opie.o openssl.o http-ntlm.o
     ../lib/libgnu.a

curl -V:
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f 
zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps 
pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL 
libz TLS-SRP

SLES 11 SP3:
* pulledpork: no chance
* wget: certificate problem / works with --no-check-certificate
* curl: SSLv3 handshake problem / can't force TLS

wget -V:
GNU Wget 1.11.4

curl -V:
curl 7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j 
zlib/1.2.7 libidn/1.10
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

So I think Joel is right. Its just a problem with older versions of wget 
and curl. We also tried using ca-cert path from Ubuntu under SLES with 
no success (curl --capath, wget --ca-directory). So I would say its no 
cert issue but a problem while "handshaking" (protocols and ciphers).

We use the following workaround on SLES now:

wget -v --no-check-certificatehttps://www.snort.org/rules/snortrules-snapshot-2962.tar.gz.md5?oinkcode=<code>  <https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz.md5?oinkcode=2fc754f30e469bc23a8a9c41199ea074bfef9da2>  -O /tmp/snortrules-snapshot-2962.tar.gz.md5
wget -v --no-check-certificatehttps://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=<code>  <https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=2fc754f30e469bc23a8a9c41199ea074bfef9da2>  -O /tmp/snortrules-snapshot-2962.tar.gz
/opt/pulledpork-0.7.0/pulledpork.pl -c /opt/pulledpork-0.7.0/etc/pulledpork.conf -P -H -T -n

Edit URLs and paths as required.

Hth.

Ciao,
Rene


Am 11.12.14 um 16:22 schrieb Doug Burks:
> Hi Joel,
>
> Pulledpork 0.7 on Ubuntu 12.04 results in the following:
>
> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
> Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
> ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED
> ==> 500 Can't connect to www.snort.org:443 (certificate verify failed)
> Error 500 when fetching
> https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at
> pulledpork.pl line 463.
> main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz",
> "/tmp/", "https://www.snort.org/reg-rules/") called at pulledpork.pl
> line 1847
>
> Thanks!
>
> On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <jesler at ...589...> wrote:
>> We have moved to Cloudflare to balance the traffic we are receiving on the
>> site.  We had a particular user that shared an oinkcode somewhere, and as a
>> result we were dealing with over 35 Millon downloads a day, so we had to
>> upgrade a bit.
>>
>> We have heard that older versions (or perhaps older cert trusts) of curl and
>> wget are having a problem navigating through Cloudflare over to the site.
>> It’s difficult for us to pin down as our tests work, and download numbers
>> are staying constant, however, we have had a few people (like yourselves)
>> say you can’t reach the site.
>>
>> I suggest the above.  (versions of curl/wget/cert trusts) and let me know
>> your results.
>>
>> --
>> Joel Esler
>> Open Source Manager
>> Threat Intelligence Team Lead
>> Talos
>>
>>
>>
>>
>>
>> On Dec 11, 2014, at 5:58 AM, elof at ...6680... wrote:
>>
>>
>> I too have this annoying issue.
>>
>> wget -v --debug 'https://www.snort.org/'
>> DEBUG output created by Wget 1.13.4 on linux-gnu.
>>
>> URI encoding = `UTF-8'
>> --2014-12-10 11:49:27--  https://www.snort.org/
>> Resolving www.snort.org (www.snort.org)... 104.28.24.35, 104.28.25.35,
>> 2400:cb00:2048:1::681c:1823, ...
>> Caching www.snort.org => 104.28.24.35 104.28.25.35
>> 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923
>> Connecting to www.snort.org (www.snort.org)|104.28.24.35|:443...
>> connected.
>> Created socket 4.
>> Releasing 0x0000000002278790 (new refcount 1).
>> GnuTLS: A TLS fatal alert has been received.
>> Closed fd 4
>> Unable to establish SSL connection.
>>
>>
>>
>> If you use Debian Stable you get wget 1.13.4.
>> Googling the error message hints that you need wget >= 1.15.
>>
>>
>> Do anyone have a workaround? I don't want to compile the latest wget
>> manually, since this breaks the ability to easily keep everything
>> up to date with 'apt-get upgrade'.
>>
>> /Elof
>>
>>
>> On Wed, 10 Dec 2014, waldo kitty wrote:
>>
>> On 12/10/2014 6:56 PM, Cary Townsend wrote:
>>
>> Hi All,
>>
>> We use wget to obtain rule updates from snort.org with our oink code, but it
>> is now broken.  Apparently, snort.org is now behind cloudflare, which denies
>> direct IP access.  Basically, the cert wget ultimately receives is
>> cloudflare's cert, not snort.org's.  A web browser seems to get redirected
>> somehow to the real snort site and gets the snort.org cert.  Thoughts?
>>
>>
>> wget works fine over here...  we've not seen any problems using it other
>> than a
>> few niggles here and there that were easily taken care of...
>>
>> do you perhaps mean amazonaws instead of cloudfare?
>>
>> what url are you using to get the rules? (obfuscate your oinkcode)
>>
>> what version of snort are you trying to get rules for?
>>
>> --
>> NOTE: No off-list assistance is given without prior approval.
>>        Please *keep mailing list traffic on the list* unless
>>        private contact is specifically requested and granted.
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>

-- 

Mit freundlichen Grüßen
René Bauer

on-collect solutions AG
Standorte:
Karlstraße 3 in 89073 Ulm
Marktplatz 20 in 89257 Illertissen

Telefon: 	+49 (0) 73 03 – 95 28 94 - 550
Fax: 	+49 (0) 73 03 – 95 28 94 - 511
E-Mail: 	r.bauer at ...17041... <mailto:r.bauer at ...17041...>
Web: 	www.on-collect.de <http://www.on-collect.de>

Vorstand Dr. Joachim Schmid
Vorsitzender des Aufsichtsrates Dr. Georg Nüßlein
Amtsgericht Ulm HRB 730793  -  Steuernummer: DE246631672

_____________________________________________________________
Diese E-Mail enthält vertrauliche und rechtlich geschützte Informationen 
und gilt ohne Unterschrift. Wenn Sie nicht der richtige Adressat sind 
oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte 
sofort den Absender und vernichten diese Nachricht. Das unerlaubte 
Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
_____________________________________________________________
This e-mail is confidential and may well also be legally privileged. If 
you have received it in error, you are on notice of its status. Please 
notify us immediately by reply e-mail and then delete this message from 
your system.
Please do not copy it or use it for any purposes, or disclose its 
contents to any other person: to do so could be a breach of confidence. 
Thank you for your cooperation.
_____________________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141211/7120945b/attachment.html>


More information about the Snort-users mailing list