[Snort-users] Rules updates broken?

Joel Esler (jesler) jesler at ...589...
Fri Dec 12 10:52:05 EST 2014


The system should allow that many queries, and if it doesn’t we’re going to abandon it!

Looking into it

> On Dec 12, 2014, at 10:44 AM, Cary Townsend <ctownsend at ...17040...> wrote:
> 
> Sorry, I went off-list for a bit.  wget 1.16 works fine from another machine (windows / cygwin), so the latest theory is that it has to do with our server.  I'm thinking the DDOS service of cloudflare is activated by our hourly checks for new rules...
> 
> On Thu, Dec 11, 2014 at 7:22 AM, Doug Burks <doug.burks at ...11827... <mailto:doug.burks at ...11827...>> wrote:
> Hi Joel,
> 
> Pulledpork 0.7 on Ubuntu 12.04 results in the following:
> 
> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
> Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
> ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED <https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED>
> ==> 500 Can't connect to www.snort.org:443 <http://www.snort.org:443/> (certificate verify failed)
> Error 500 when fetching
> https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 <https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5> at
> pulledpork.pl <http://pulledpork.pl/> line 463.
> main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz",
> "/tmp/", "https://www.snort.org/reg-rules/ <https://www.snort.org/reg-rules/>") called at pulledpork.pl <http://pulledpork.pl/>
> line 1847
> 
> Thanks!
> 
> On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <jesler at ...589... <mailto:jesler at ...589...>> wrote:
> > We have moved to Cloudflare to balance the traffic we are receiving on the
> > site.  We had a particular user that shared an oinkcode somewhere, and as a
> > result we were dealing with over 35 Millon downloads a day, so we had to
> > upgrade a bit.
> >
> > We have heard that older versions (or perhaps older cert trusts) of curl and
> > wget are having a problem navigating through Cloudflare over to the site.
> > It’s difficult for us to pin down as our tests work, and download numbers
> > are staying constant, however, we have had a few people (like yourselves)
> > say you can’t reach the site.
> >
> > I suggest the above.  (versions of curl/wget/cert trusts) and let me know
> > your results.
> >
> > --
> > Joel Esler
> > Open Source Manager
> > Threat Intelligence Team Lead
> > Talos
> >
> >
> >
> >
> >
> > On Dec 11, 2014, at 5:58 AM, elof at ...6680... <mailto:elof at ...6680...> wrote:
> >
> >
> > I too have this annoying issue.
> >
> > wget -v --debug 'https://www.snort.org/ <https://www.snort.org/>'
> > DEBUG output created by Wget 1.13.4 on linux-gnu.
> >
> > URI encoding = `UTF-8'
> > --2014-12-10 11:49:27--  https://www.snort.org/ <https://www.snort.org/>
> > Resolving www.snort.org <http://www.snort.org/> (www.snort.org <http://www.snort.org/>)... 104.28.24.35, 104.28.25.35,
> > 2400:cb00:2048:1::681c:1823, ...
> > Caching www.snort.org <http://www.snort.org/> => 104.28.24.35 104.28.25.35
> > 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923
> > Connecting to www.snort.org <http://www.snort.org/> (www.snort.org <http://www.snort.org/>)|104.28.24.35|:443...
> > connected.
> > Created socket 4.
> > Releasing 0x0000000002278790 (new refcount 1).
> > GnuTLS: A TLS fatal alert has been received.
> > Closed fd 4
> > Unable to establish SSL connection.
> >
> >
> >
> > If you use Debian Stable you get wget 1.13.4.
> > Googling the error message hints that you need wget >= 1.15.
> >
> >
> > Do anyone have a workaround? I don't want to compile the latest wget
> > manually, since this breaks the ability to easily keep everything
> > up to date with 'apt-get upgrade'.
> >
> > /Elof
> >
> >
> > On Wed, 10 Dec 2014, waldo kitty wrote:
> >
> > On 12/10/2014 6:56 PM, Cary Townsend wrote:
> >
> > Hi All,
> >
> > We use wget to obtain rule updates from snort.org <http://snort.org/> with our oink code, but it
> > is now broken.  Apparently, snort.org <http://snort.org/> is now behind cloudflare, which denies
> > direct IP access.  Basically, the cert wget ultimately receives is
> > cloudflare's cert, not snort.org <http://snort.org/>'s.  A web browser seems to get redirected
> > somehow to the real snort site and gets the snort.org <http://snort.org/> cert.  Thoughts?
> >
> >
> > wget works fine over here...  we've not seen any problems using it other
> > than a
> > few niggles here and there that were easily taken care of...
> >
> > do you perhaps mean amazonaws instead of cloudfare?
> >
> > what url are you using to get the rules? (obfuscate your oinkcode)
> >
> > what version of snort are you trying to get rules for?
> >
> > --
> > NOTE: No off-list assistance is given without prior approval.
> >       Please *keep mailing list traffic on the list* unless
> >       private contact is specifically requested and granted.
> >
> > ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk>
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net <mailto:Snort-users at ...5870....net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users>
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
> >
> > Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort
> > news!
> >
> >
> > ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk>
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net <mailto:Snort-users at ...5870....net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users>
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
> >
> > Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort
> > news!
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk>
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net <mailto:Snort-users at ...5870....net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users>
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
> >
> > Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort
> > news!
> 
> 
> 
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com <http://securityonionsolutions.com/>
> Last day to register for 3-Day Training Class in Augusta GA is 12/11!
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net <mailto:Snort-users at ...973...et>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!
> 
> 
> -- 
> 
> 
> 
> Cary Townsend
> Senior Engineer
> ctownsend at ...17040... <mailto:ctownsend at ...17040...>
> 1-866-682-0080
> www.catbird.com <http://www.catbird.com/>------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141212/ba418642/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4817 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141212/ba418642/attachment.bin>


More information about the Snort-users mailing list