[Snort-users] Rules updates broken?

Cary Townsend ctownsend at ...17040...
Fri Dec 12 10:44:40 EST 2014


Sorry, I went off-list for a bit.  wget 1.16 works fine from another
machine (windows / cygwin), so the latest theory is that it has to do with
our server.  I'm thinking the DDOS service of cloudflare is activated by
our hourly checks for new rules...

On Thu, Dec 11, 2014 at 7:22 AM, Doug Burks <doug.burks at ...11827...> wrote:
>
> Hi Joel,
>
> Pulledpork 0.7 on Ubuntu 12.04 results in the following:
>
> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
> Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
> ** GET
> https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED
> ==> 500 Can't connect to www.snort.org:443 (certificate verify failed)
> Error 500 when fetching
> https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at
> pulledpork.pl line 463.
> main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz",
> "/tmp/", "https://www.snort.org/reg-rules/") called at pulledpork.pl
> line 1847
>
> Thanks!
>
> On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <jesler at ...589...>
> wrote:
> > We have moved to Cloudflare to balance the traffic we are receiving on
> the
> > site.  We had a particular user that shared an oinkcode somewhere, and
> as a
> > result we were dealing with over 35 Millon downloads a day, so we had to
> > upgrade a bit.
> >
> > We have heard that older versions (or perhaps older cert trusts) of curl
> and
> > wget are having a problem navigating through Cloudflare over to the site.
> > It’s difficult for us to pin down as our tests work, and download numbers
> > are staying constant, however, we have had a few people (like yourselves)
> > say you can’t reach the site.
> >
> > I suggest the above.  (versions of curl/wget/cert trusts) and let me know
> > your results.
> >
> > --
> > Joel Esler
> > Open Source Manager
> > Threat Intelligence Team Lead
> > Talos
> >
> >
> >
> >
> >
> > On Dec 11, 2014, at 5:58 AM, elof at ...6680... wrote:
> >
> >
> > I too have this annoying issue.
> >
> > wget -v --debug 'https://www.snort.org/'
> > DEBUG output created by Wget 1.13.4 on linux-gnu.
> >
> > URI encoding = `UTF-8'
> > --2014-12-10 11:49:27--  https://www.snort.org/
> > Resolving www.snort.org (www.snort.org)... 104.28.24.35, 104.28.25.35,
> > 2400:cb00:2048:1::681c:1823, ...
> > Caching www.snort.org => 104.28.24.35 104.28.25.35
> > 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923
> > Connecting to www.snort.org (www.snort.org)|104.28.24.35|:443...
> > connected.
> > Created socket 4.
> > Releasing 0x0000000002278790 (new refcount 1).
> > GnuTLS: A TLS fatal alert has been received.
> > Closed fd 4
> > Unable to establish SSL connection.
> >
> >
> >
> > If you use Debian Stable you get wget 1.13.4.
> > Googling the error message hints that you need wget >= 1.15.
> >
> >
> > Do anyone have a workaround? I don't want to compile the latest wget
> > manually, since this breaks the ability to easily keep everything
> > up to date with 'apt-get upgrade'.
> >
> > /Elof
> >
> >
> > On Wed, 10 Dec 2014, waldo kitty wrote:
> >
> > On 12/10/2014 6:56 PM, Cary Townsend wrote:
> >
> > Hi All,
> >
> > We use wget to obtain rule updates from snort.org with our oink code,
> but it
> > is now broken.  Apparently, snort.org is now behind cloudflare, which
> denies
> > direct IP access.  Basically, the cert wget ultimately receives is
> > cloudflare's cert, not snort.org's.  A web browser seems to get
> redirected
> > somehow to the real snort site and gets the snort.org cert.  Thoughts?
> >
> >
> > wget works fine over here...  we've not seen any problems using it other
> > than a
> > few niggles here and there that were easily taken care of...
> >
> > do you perhaps mean amazonaws instead of cloudfare?
> >
> > what url are you using to get the rules? (obfuscate your oinkcode)
> >
> > what version of snort are you trying to get rules for?
> >
> > --
> > NOTE: No off-list assistance is given without prior approval.
> >       Please *keep mailing list traffic on the list* unless
> >       private contact is specifically requested and granted.
> >
> >
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com
> Last day to register for 3-Day Training Class in Augusta GA is 12/11!
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>


-- 


 Cary Townsend
Senior Engineer
ctownsend at ...17040...
1-866-682-0080
www.catbird.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141212/436379f0/attachment.html>


More information about the Snort-users mailing list