<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Any thoughts on this?<br>
    <br>
    I'm able to get pulledpork to run successfully by adding
    23.23.165.79 to my whitelist.  But my concern is that pulledpork or
    my DNS has been hijacked to pull info from a server that VRT has
    intentionally blacklisted.  The other possibility is that the IP was
    added in error to the blacklist.<br>
    <br>
    Am I the only person whose blacklist contains 23.23.165.79?  If so,
    then I clearly have big problems.  The fact that no one else is
    reporting pulledpork failures indicates that this might be the case,
    although it could also indicate that few open source users are using
    Snort inline...<br>
    <br>
    <div class="moz-cite-prefix">On 4/15/2014 11:01 AM, Dave Corsello
      wrote:<br>
    </div>
    <blockquote cite="mid:534D49DF.4060604@...15598..."
      type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      Sorry again for the confusion.  23.23.165.79 is included in my
      default.blacklist file, which is maintained by pulledpork.<br>
      <br>
      Pulledpork is configured to get the blacklist from
      labs.snort.org.  Is that the way it should be configured?<br>
      <br>
      It looks like labs.snort.org is handing the request off to an
      Amazon server at the IP address in question.  Is that the way it's
      supposed to work?<br>
      <br>
      On 4/13/2014 12:10 AM, Dave Corsello wrote:<br>
      <blockquote cite="mid:534A0E3C.9000008@...15598..."
        type="cite">
        <meta content="text/html; charset=ISO-8859-1"
          http-equiv="Content-Type">
        My apologies.  I can't find the IP address in any backup of the
        IP blacklist.  I assumed the address must have been in the
        blacklist because of the following alerts in BASE:<br>
        <br>
        <table cellpadding="0" cellspacing="0" bgcolor="#FFFFFF"
          border="0" width="100%">
          <tbody>
            <tr bgcolor="#DDDDDD">
              <td align="center" valign="top"><input
                  name="action_chk_lst[4]" value="#4-(2-1375)"
                  type="checkbox"> </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_qry_alert.php?submit=%234-%282-1375%29&sort_order=time_a">#4-(2-1375)</a>
              </td>
              <td align="left" valign="top"> <font size="-1">[<a
                    moz-do-not-send="true"
                    href="http://www.snort.org/search/sid/136-1"
                    target="_ACID_ALERT_DESC">snort</a>]</font>
                reputation: Packet is blacklisted </td>
              <td align="center" valign="top"> 2014-04-11 XX:XX:XX </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32">XX.XX.XX.XX</a><font
                  size="-1">:56579</font> </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32">23.23.165.79</a><font
                  size="-1">:443</font> </td>
              <td align="center" valign="top"> <font>TCP</font> </td>
            </tr>
            <tr bgcolor="#FFFFFF">
              <td align="center" valign="top"> <input
                  name="action_chk_lst[5]" value="#5-(2-1376)"
                  type="checkbox"> </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_qry_alert.php?submit=%235-%282-1376%29&sort_order=time_a">#5-(2-1376)</a>
              </td>
              <td align="left" valign="top"> <font size="-1">[<a
                    moz-do-not-send="true"
                    href="http://www.snort.org/search/sid/136-1"
                    target="_ACID_ALERT_DESC">snort</a>]</font>
                reputation: Packet is blacklisted </td>
              <td align="center" valign="top"> 2014-04-11 XX:XX:XX </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32">XX.XX.XX.XX</a><font
                  size="-1">:56579</font> </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32">23.23.165.79</a><font
                  size="-1">:443</font> </td>
              <td align="center" valign="top"> <font>TCP</font> </td>
            </tr>
            <tr bgcolor="#DDDDDD">
              <td align="center" valign="top"> <input
                  name="action_chk_lst[6]" value="#6-(1-45791)"
                  type="checkbox"> </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_qry_alert.php?submit=%236-%281-45791%29&sort_order=time_a">#6-(1-45791)</a>
              </td>
              <td align="left" valign="top"> <font size="-1">[<a
                    moz-do-not-send="true"
                    href="http://www.snort.org/search/sid/136-1"
                    target="_ACID_ALERT_DESC">snort</a>]</font>
                reputation: Packet is blacklisted </td>
              <td align="center" valign="top"> 2014-04-11 XX:XX:XX </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32">XX.XX.XX.XX</a><font
                  size="-1">:43678</font> </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32">23.23.165.79</a><font
                  size="-1">:443</font> </td>
              <td align="center" valign="top"> <font>TCP</font> </td>
            </tr>
            <tr bgcolor="#FFFFFF">
              <td align="center" valign="top"> <input
                  name="action_chk_lst[7]" value="#7-(1-45792)"
                  type="checkbox"> </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_qry_alert.php?submit=%237-%281-45792%29&sort_order=time_a">#7-(1-45792)</a>
              </td>
              <td align="left" valign="top"> <font size="-1">[<a
                    moz-do-not-send="true"
                    href="http://www.snort.org/search/sid/136-1"
                    target="_ACID_ALERT_DESC">snort</a>]</font>
                reputation: Packet is blacklisted </td>
              <td align="center" valign="top"> 2014-04-11 XX:XX:XX </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32">XX.XX.XX.XX</a><font
                  size="-1">:43678</font> </td>
              <td align="center" valign="top"> <a
                  moz-do-not-send="true"
href="http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32">23.23.165.79</a><font
                  size="-1">:443</font> </td>
              <td align="center" valign="top"> <font>TCP</font></td>
            </tr>
          </tbody>
        </table>
        <br>
        <div class="moz-cite-prefix">Internal IPs and times are
          obscured.  It appears that neither source nor destination IPs
          should have been blacklisted, but BASE reports them as having
          been blacklisted by Snort.  The packets were dropped;  the
          times and internal IPs correspond to the failed pulledpork
          jobs.<br>
          <br>
          On 4/12/2014 9:28 AM, Joel Esler (jesler) wrote:<br>
        </div>
        <blockquote
          cite="mid:8FF7AA7D-DB3E-4891-90EA-8C2FF239AC15@...589..."
          type="cite">
          <pre wrap="">The ip blacklist?

--
Joel Esler
Sent from my iPhone

</pre>
          <blockquote type="cite">
            <pre wrap="">On Apr 12, 2014, at 7:05, "Dave Corsello" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:snort-users@...15598..."><snort-users@...15598...></a> wrote:

The problem is that the IP address of the Amazon server from which
PulledPork pulls VRT rules was added by VRT to the default blacklist. 
Any ideas why they might have done this?


</pre>
            <blockquote type="cite">
              <pre wrap="">On 4/11/2014 2:20 PM, waldo kitty wrote:
</pre>
              <blockquote type="cite">
                <pre wrap="">On 4/11/2014 10:41 AM, Dave Corsello wrote:
I got the following error in PulledPork last night:  "A 500 error
occurred, please verify that you have recently updated your root
certificates!"  I made no changes.  Any ideas what might be happening?
</pre>
              </blockquote>
              <pre wrap="">"root certificates" sounds like ssl certificates... heartbleed... wanna bet that 
some certificates have been updated during heartbleed remediation and you now 
need to update the certificates your system(s) use...
</pre>
            </blockquote>
            <pre wrap="">------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://p.sf.net/sfu/13600_Cloudbees">http://p.sf.net/sfu/13600_Cloudbees</a>
_______________________________________________
Snort-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!
</pre>
          </blockquote>
        </blockquote>
        <br>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://p.sf.net/sfu/13600_Cloudbees">http://p.sf.net/sfu/13600_Cloudbees</a></pre>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Snort-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
<a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/NeoTech">http://p.sf.net/sfu/NeoTech</a></pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
    </blockquote>
    <br>
  </body>
</html>