[Snort-users] Rules updates broken?

Cary Townsend ctownsend at ...17040...
Fri Dec 12 12:33:57 EST 2014


Looking through our logs, it doesn't seem to support the DDOS theory; it
never worked after the switch.  The snippets below illustrate the last
working request, the transition, then the first attempt at the new address,
which fails:
.
.
--2014-12-08 14:04:01--
https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx
Resolving www.snort.org... 23.21.42.154, 54.235.138.160, 174.129.239.220
Connecting to www.snort.org|23.21.42.154|:443... connected.
HTTP request sent, awaiting response...
.
.
.
--2014-12-08 15:04:01--
https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx
Resolving www.snort.org... failed: Temporary failure in name resolution.
wget: unable to resolve host address `www.snort.org'
.
.
.
--2014-12-08 16:04:01--
https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx
Resolving www.snort.org... 104.28.25.35, 104.28.24.35
Connecting to www.snort.org|104.28.25.35|:443... connected.
ERROR: no certificate subject alternative name matches
.
.
.

On Fri, Dec 12, 2014 at 7:52 AM, Joel Esler (jesler) <jesler at ...589...>
wrote:
>
> The system should allow that many queries, and if it doesn’t we’re going
> to abandon it!
>
> Looking into it
>
> On Dec 12, 2014, at 10:44 AM, Cary Townsend <ctownsend at ...17040...> wrote:
>
> Sorry, I went off-list for a bit.  wget 1.16 works fine from another
> machine (windows / cygwin), so the latest theory is that it has to do with
> our server.  I'm thinking the DDOS service of cloudflare is activated by
> our hourly checks for new rules...
>
> On Thu, Dec 11, 2014 at 7:22 AM, Doug Burks <doug.burks at ...11827...> wrote:
>>
>> Hi Joel,
>>
>> Pulledpork 0.7 on Ubuntu 12.04 results in the following:
>>
>> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
>> Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
>> ** GET
>> https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED
>> ==> 500 Can't connect to www.snort.org:443 (certificate verify failed)
>> Error 500 when fetching
>> https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at
>> pulledpork.pl line 463.
>> main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz",
>> "/tmp/", "https://www.snort.org/reg-rules/") called at pulledpork.pl
>> line 1847
>>
>> Thanks!
>>
>> On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <jesler at ...589...>
>> wrote:
>> > We have moved to Cloudflare to balance the traffic we are receiving on
>> the
>> > site.  We had a particular user that shared an oinkcode somewhere, and
>> as a
>> > result we were dealing with over 35 Millon downloads a day, so we had to
>> > upgrade a bit.
>> >
>> > We have heard that older versions (or perhaps older cert trusts) of
>> curl and
>> > wget are having a problem navigating through Cloudflare over to the
>> site.
>> > It’s difficult for us to pin down as our tests work, and download
>> numbers
>> > are staying constant, however, we have had a few people (like
>> yourselves)
>> > say you can’t reach the site.
>> >
>> > I suggest the above.  (versions of curl/wget/cert trusts) and let me
>> know
>> > your results.
>> >
>> > --
>> > Joel Esler
>> > Open Source Manager
>> > Threat Intelligence Team Lead
>> > Talos
>> >
>> >
>> >
>> >
>> >
>> > On Dec 11, 2014, at 5:58 AM, elof at ...6680... wrote:
>> >
>> >
>> > I too have this annoying issue.
>> >
>> > wget -v --debug 'https://www.snort.org/'
>> > DEBUG output created by Wget 1.13.4 on linux-gnu.
>> >
>> > URI encoding = `UTF-8'
>> > --2014-12-10 11:49:27--  https://www.snort.org/
>> > Resolving www.snort.org (www.snort.org)... 104.28.24.35, 104.28.25.35,
>> > 2400:cb00:2048:1::681c:1823, ...
>> > Caching www.snort.org => 104.28.24.35 104.28.25.35
>> > 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923
>> > Connecting to www.snort.org (www.snort.org)|104.28.24.35|:443...
>> > connected.
>> > Created socket 4.
>> > Releasing 0x0000000002278790 (new refcount 1).
>> > GnuTLS: A TLS fatal alert has been received.
>> > Closed fd 4
>> > Unable to establish SSL connection.
>> >
>> >
>> >
>> > If you use Debian Stable you get wget 1.13.4.
>> > Googling the error message hints that you need wget >= 1.15.
>> >
>> >
>> > Do anyone have a workaround? I don't want to compile the latest wget
>> > manually, since this breaks the ability to easily keep everything
>> > up to date with 'apt-get upgrade'.
>> >
>> > /Elof
>> >
>> >
>> > On Wed, 10 Dec 2014, waldo kitty wrote:
>> >
>> > On 12/10/2014 6:56 PM, Cary Townsend wrote:
>> >
>> > Hi All,
>> >
>> > We use wget to obtain rule updates from snort.org with our oink code,
>> but it
>> > is now broken.  Apparently, snort.org is now behind cloudflare, which
>> denies
>> > direct IP access.  Basically, the cert wget ultimately receives is
>> > cloudflare's cert, not snort.org's.  A web browser seems to get
>> redirected
>> > somehow to the real snort site and gets the snort.org cert.  Thoughts?
>> >
>> >
>> > wget works fine over here...  we've not seen any problems using it other
>> > than a
>> > few niggles here and there that were easily taken care of...
>> >
>> > do you perhaps mean amazonaws instead of cloudfare?
>> >
>> > what url are you using to get the rules? (obfuscate your oinkcode)
>> >
>> > what version of snort are you trying to get rules for?
>> >
>> > --
>> > NOTE: No off-list assistance is given without prior approval.
>> >       Please *keep mailing list traffic on the list* unless
>> >       private contact is specifically requested and granted.
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>> more
>> > Get technology previously reserved for billion-dollar corporations, FREE
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> > news!
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>> more
>> > Get technology previously reserved for billion-dollar corporations, FREE
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> > news!
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>> more
>> > Get technology previously reserved for billion-dollar corporations, FREE
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> > news!
>>
>>
>>
>> --
>> Doug Burks
>> Need Security Onion Training or Commercial Support?
>> http://securityonionsolutions.com
>> Last day to register for 3-Day Training Class in Augusta GA is 12/11!
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
> --
>
>
>  Cary Townsend
> Senior Engineer
> ctownsend at ...17040...
> 1-866-682-0080
> www.catbird.com
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>

-- 


 Cary Townsend
Senior Engineer
ctownsend at ...17040...
1-866-682-0080
www.catbird.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141212/14cb7e51/attachment.html>


More information about the Snort-users mailing list