[Snort-users] Rules updates broken?

Cary Townsend ctownsend at ...17040...
Mon Dec 15 15:14:49 EST 2014


I've been beating on this all morning, and I just noticed it started
working at 9am PST.  I'm assuming I didn't fix anything, and something
changed at the server?

Thanks!

On Fri, Dec 12, 2014 at 9:39 AM, Joel Esler (jesler) <jesler at ...589...>
wrote:
>
>  We are working to resolve the issue right now, sorry for the
> inconvenience.
>
> --
> *Joel Esler*
> Sent from my iPhone
>
> On Dec 12, 2014, at 12:38 PM, Cary Townsend <ctownsend at ...17040...> wrote:
>
>   Looking through our logs, it doesn't seem to support the DDOS theory;
> it never worked after the switch.  The snippets below illustrate the last
> working request, the transition, then the first attempt at the new address,
> which fails:
> .
> .
> --2014-12-08 14:04:01--
> https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx
> Resolving www.snort.org... 23.21.42.154, 54.235.138.160, 174.129.239.220
> Connecting to www.snort.org|23.21.42.154|:443... connected.
> HTTP request sent, awaiting response...
> .
> .
> .
> --2014-12-08 15:04:01--
> https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx
> Resolving www.snort.org... failed: Temporary failure in name resolution.
> wget: unable to resolve host address `www.snort.org'
> .
> .
> .
> --2014-12-08 16:04:01--
> https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx
> Resolving www.snort.org... 104.28.25.35, 104.28.24.35
> Connecting to www.snort.org|104.28.25.35|:443... connected.
> ERROR: no certificate subject alternative name matches
> .
> .
> .
>
> On Fri, Dec 12, 2014 at 7:52 AM, Joel Esler (jesler) <jesler at ...589...>
> wrote:
>>
>> The system should allow that many queries, and if it doesn’t we’re going
>> to abandon it!
>>
>>  Looking into it
>>
>>  On Dec 12, 2014, at 10:44 AM, Cary Townsend <ctownsend at ...17040...>
>> wrote:
>>
>>  Sorry, I went off-list for a bit.  wget 1.16 works fine from another
>> machine (windows / cygwin), so the latest theory is that it has to do with
>> our server.  I'm thinking the DDOS service of cloudflare is activated by
>> our hourly checks for new rules...
>>
>> On Thu, Dec 11, 2014 at 7:22 AM, Doug Burks <doug.burks at ...11827...>
>> wrote:
>>>
>>> Hi Joel,
>>>
>>> Pulledpork 0.7 on Ubuntu 12.04 results in the following:
>>>
>>> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
>>> Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
>>> ** GET
>>> https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED
>>> ==> 500 Can't connect to www.snort.org:443 (certificate verify failed)
>>> Error 500 when fetching
>>> https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at
>>> pulledpork.pl line 463.
>>> main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz",
>>> "/tmp/", "https://www.snort.org/reg-rules/") called at pulledpork.pl
>>> line 1847
>>>
>>> Thanks!
>>>
>>> On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <jesler at ...589...>
>>> wrote:
>>> > We have moved to Cloudflare to balance the traffic we are receiving on
>>> the
>>> > site.  We had a particular user that shared an oinkcode somewhere, and
>>> as a
>>> > result we were dealing with over 35 Millon downloads a day, so we had
>>> to
>>> > upgrade a bit.
>>> >
>>> > We have heard that older versions (or perhaps older cert trusts) of
>>> curl and
>>> > wget are having a problem navigating through Cloudflare over to the
>>> site.
>>> > It’s difficult for us to pin down as our tests work, and download
>>> numbers
>>> > are staying constant, however, we have had a few people (like
>>> yourselves)
>>> > say you can’t reach the site.
>>> >
>>> > I suggest the above.  (versions of curl/wget/cert trusts) and let me
>>> know
>>> > your results.
>>> >
>>> > --
>>> > Joel Esler
>>> > Open Source Manager
>>> > Threat Intelligence Team Lead
>>> > Talos
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Dec 11, 2014, at 5:58 AM, elof at ...6680... wrote:
>>> >
>>> >
>>> > I too have this annoying issue.
>>> >
>>> > wget -v --debug 'https://www.snort.org/'
>>> > DEBUG output created by Wget 1.13.4 on linux-gnu.
>>> >
>>> > URI encoding = `UTF-8'
>>> > --2014-12-10 11:49:27--  https://www.snort.org/
>>> > Resolving www.snort.org (www.snort.org)... 104.28.24.35, 104.28.25.35,
>>> > 2400:cb00:2048:1::681c:1823, ...
>>> > Caching www.snort.org => 104.28.24.35 104.28.25.35
>>> > 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923
>>> > Connecting to www.snort.org (www.snort.org)|104.28.24.35|:443...
>>> > connected.
>>> > Created socket 4.
>>> > Releasing 0x0000000002278790 (new refcount 1).
>>> > GnuTLS: A TLS fatal alert has been received.
>>> > Closed fd 4
>>> > Unable to establish SSL connection.
>>> >
>>> >
>>> >
>>> > If you use Debian Stable you get wget 1.13.4.
>>> > Googling the error message hints that you need wget >= 1.15.
>>> >
>>> >
>>> > Do anyone have a workaround? I don't want to compile the latest wget
>>> > manually, since this breaks the ability to easily keep everything
>>> > up to date with 'apt-get upgrade'.
>>> >
>>> > /Elof
>>> >
>>> >
>>> > On Wed, 10 Dec 2014, waldo kitty wrote:
>>> >
>>> > On 12/10/2014 6:56 PM, Cary Townsend wrote:
>>> >
>>> > Hi All,
>>> >
>>> > We use wget to obtain rule updates from snort.org with our oink code,
>>> but it
>>> > is now broken.  Apparently, snort.org is now behind cloudflare, which
>>> denies
>>> > direct IP access.  Basically, the cert wget ultimately receives is
>>> > cloudflare's cert, not snort.org's.  A web browser seems to get
>>> redirected
>>> > somehow to the real snort site and gets the snort.org cert.  Thoughts?
>>> >
>>> >
>>> > wget works fine over here...  we've not seen any problems using it
>>> other
>>> > than a
>>> > few niggles here and there that were easily taken care of...
>>> >
>>> > do you perhaps mean amazonaws instead of cloudfare?
>>> >
>>> > what url are you using to get the rules? (obfuscate your oinkcode)
>>> >
>>> > what version of snort are you trying to get rules for?
>>> >
>>> > --
>>> > NOTE: No off-list assistance is given without prior approval.
>>> >       Please *keep mailing list traffic on the list* unless
>>> >       private contact is specifically requested and granted.
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> > from Actuate! Instantly Supercharge Your Business Reports and
>>> Dashboards
>>> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>>> more
>>> > Get technology previously reserved for billion-dollar corporations,
>>> FREE
>>> >
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> >
>>> > Please visit http://blog.snort.org to stay current on all the latest
>>> Snort
>>> > news!
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> > from Actuate! Instantly Supercharge Your Business Reports and
>>> Dashboards
>>> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>>> more
>>> > Get technology previously reserved for billion-dollar corporations,
>>> FREE
>>> >
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> >
>>> > Please visit http://blog.snort.org to stay current on all the latest
>>> Snort
>>> > news!
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> > from Actuate! Instantly Supercharge Your Business Reports and
>>> Dashboards
>>> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>>> more
>>> > Get technology previously reserved for billion-dollar corporations,
>>> FREE
>>> >
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> >
>>> > Please visit http://blog.snort.org to stay current on all the latest
>>> Snort
>>> > news!
>>>
>>>
>>>
>>> --
>>>  Doug Burks
>>> Need Security Onion Training or Commercial Support?
>>> http://securityonionsolutions.com
>>> Last day to register for 3-Day Training Class in Augusta GA is 12/11!
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>>  --
>>
>>
>>   Cary Townsend
>> Senior Engineer
>> ctownsend at ...17040...
>> 1-866-682-0080
>> www.catbird.com
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
>
>  --
>
>
>   Cary Townsend
> Senior Engineer
> ctownsend at ...17040...
> 1-866-682-0080
> www.catbird.com
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>
>  _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>

-- 


 Cary Townsend
Senior Engineer
ctownsend at ...17040...
1-866-682-0080
www.catbird.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141215/ebc130ea/attachment.html>


More information about the Snort-users mailing list