[Snort-users] Pulledpork error at blacklist download

David Corsello snort-users at wintertreemedia.com
Wed May 2 14:17:02 EDT 2018


Please disregard this question.  I was able to download a blacklist
manually for testing.  I found that the latency is too high with this
machine, so we're going to need something with a faster processor that can
support a newer OS..

On Wed, May 2, 2018 at 1:13 PM, David Corsello <
snort-users at wintertreemedia.com> wrote:

> Much of this is related more to Linux than to Snort, but I'm hoping
> someone can offer help.
>
> I purchased a mini PC with decent specs to use as a Snort sensor.  The one
> limitation that I missed prior to purchase is that the highest version of
> Ubuntu that it supports is 12.04.1.  That OS is now installed.  Snort
> 2.9.11.1 is installed and running.  Pulledpork fails at the blacklist
> download.
>
> Pulledpork.conf contains the following:
>
> rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|
> oinkcodexxxxxxxxxxxxxxxxxxxxxx
>
> When run, it gives the following error:
>
> IP Blacklist download of https://talosintelligence.com/
> documents/ip-blacklist....
> ** GET https://talosintelligence.com/documents/ip-blacklist ==> 500 Can't
> connect to talosintelligence.com:443
> Error downloading https://talosintelligence.com/documents/ip-blacklist:
> 500 Can't connect to talosintelligence.com:443 [ 500 ]
>
>
> GET from the command line gives the following error:
>
> root at IPS:~# GET "https://talosintelligence.com/documents/ip-blacklist|
> IPBLACKLIST|oinkcodexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
> Can't connect to talosintelligence.com:443
>
> LWP::Protocol::https::Socket: SSL connect attempt failed with unknown
> errorerror:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
> protocol version at /usr/share/perl5/LWP/Protocol/http.pm line 51.Unable
> to establish SSL connection.
>
>
> Upgrading openssl to ver. 1.0.2o didn't fix this.  I'm researching if it's
> possible to upgrade libwww-perl from ver 6.03 on Ubuntu 12.04.
>
> Any other suggestions?
>
> As a workaround, I tried to download the blacklist to an intermediate,
> hosted server, from which I would then have downloaded to the sensor using
> pulledpork.  When I ran the GET command on the hosted server, I got the
> message:
>
> "The owner of this website (talosintelligence.com) has banned your access
> based on your browser's signature (414c086aabdc2312-ua24)."
>
> Does this mean that the oinkcode is now permanently banned from
> downloading the blacklist, or was only this access blocked?
>
> Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180502/690e62fc/attachment.html>


More information about the Snort-users mailing list