[Snort-users] Snort rules downloaded from Amazon AWS through plain http

Vladimir Rabotka vladimir.rabotka at ...16908...
Wed Jul 16 14:53:17 EDT 2014


Hi there,

Has anybody else noticed that snort rules are now being downloaded from Amazon AWS through http ?
We allow https but block outgoing http from out snort machine and last night pulledpork failed with a bizarre 500 error.
Running pulledpork in verbose mode showed that the https call to snort.org is redirected to an Amazon AWS page that doesn't use SSL:

Rules tarball download of snortrules-snapshot-2956.tar.gz....
        Fetching rules file: snortrules-snapshot-2956.tar.gz
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/### ==> 302 Found
** GET http://s3.amazonaws.com/snort-org-site/production/release_files/files/000/000/189/original/snortrules-snapshot-2956.tar.gz?AWSAccessKeyId=### &Expires=###&Signature=### ==> 500 Can't connect to s3.amazonaws.com:80 (connect: Connection refused)
        A 500 error occurred, please verify that you have recently updated your root certificates!

So anybody who intercepts the HTTP call can download the rules with somebody else's access key and keep the key for future use.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140716/ac64b0e4/attachment.html>


More information about the Snort-users mailing list