[Snort-users] Pulledpork error at blacklist download

David Corsello snort-users at wintertreemedia.com
Wed May 2 13:13:52 EDT 2018


Much of this is related more to Linux than to Snort, but I'm hoping someone
can offer help.

I purchased a mini PC with decent specs to use as a Snort sensor.  The one
limitation that I missed prior to purchase is that the highest version of
Ubuntu that it supports is 12.04.1.  That OS is now installed.  Snort
2.9.11.1 is installed and running.  Pulledpork fails at the blacklist
download.

Pulledpork.conf contains the following:

rule_url=
https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|oinkcodexxxxxxxxxxxxxxxxxxxxxx

When run, it gives the following error:

IP Blacklist download of
https://talosintelligence.com/documents/ip-blacklist....
** GET https://talosintelligence.com/documents/ip-blacklist ==> 500 Can't
connect to talosintelligence.com:443
Error downloading https://talosintelligence.com/documents/ip-blacklist: 500
Can't connect to talosintelligence.com:443 [ 500 ]


GET from the command line gives the following error:

root at IPS:~# GET "
https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|oinkcodexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
Can't connect to talosintelligence.com:443

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown
errorerror:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
protocol version at /usr/share/perl5/LWP/Protocol/http.pm line 51.Unable to
establish SSL connection.


Upgrading openssl to ver. 1.0.2o didn't fix this.  I'm researching if it's
possible to upgrade libwww-perl from ver 6.03 on Ubuntu 12.04.

Any other suggestions?

As a workaround, I tried to download the blacklist to an intermediate,
hosted server, from which I would then have downloaded to the sensor using
pulledpork.  When I ran the GET command on the hosted server, I got the
message:

"The owner of this website (talosintelligence.com) has banned your access
based on your browser's signature (414c086aabdc2312-ua24)."

Does this mean that the oinkcode is now permanently banned from downloading
the blacklist, or was only this access blocked?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180502/4f61e2db/attachment.html>


More information about the Snort-users mailing list