<div dir="ltr">Looking through our logs, it doesn't seem to support the DDOS theory; it never worked after the switch.  The snippets below illustrate the last working request, the transition, then the first attempt at the new address, which fails:<div><div>.</div><div>.</div><div>--2014-12-08 14:04:01--  <a href="https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx">https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx</a></div><div>Resolving www.snort.org... 23.21.42.154, 54.235.138.160, 174.129.239.220</div><div>Connecting to <a href="http://www.snort.org">www.snort.org</a>|23.21.42.154|:443... connected.</div><div>HTTP request sent, awaiting response...</div><div>.</div><div>.</div><div>.</div><div>--2014-12-08 15:04:01--  <a href="https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx">https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx</a></div><div>Resolving www.snort.org... failed: Temporary failure in name resolution.</div><div>wget: unable to resolve host address `<a href="http://www.snort.org">www.snort.org</a>'</div><div>.</div><div>.</div><div>.</div><div>--2014-12-08 16:04:01--  <a href="https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx">https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx</a></div><div>Resolving www.snort.org... 104.28.25.35, 104.28.24.35</div><div>Connecting to <a href="http://www.snort.org">www.snort.org</a>|104.28.25.35|:443... connected.</div><div>ERROR: no certificate subject alternative name matches</div><div>.</div><div>.</div><div>.</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 12, 2014 at 7:52 AM, Joel Esler (jesler) <span dir="ltr"><<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">The system should allow that many queries, and if it doesn’t we’re going to abandon it!<div><br></div><div>Looking into it</div><div><div class="h5"><div><br><div><blockquote type="cite"><div>On Dec 12, 2014, at 10:44 AM, Cary Townsend <<a href="mailto:ctownsend@...17040..." target="_blank">ctownsend@...17042....</a>> wrote:</div><br><div><div dir="ltr">Sorry, I went off-list for a bit.  wget 1.16 works fine from another machine (windows / cygwin), so the latest theory is that it has to do with our server.  I'm thinking the DDOS service of cloudflare is activated by our hourly checks for new rules...</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 11, 2014 at 7:22 AM, Doug Burks <span dir="ltr"><<a href="mailto:doug.burks@...11827..." target="_blank">doug.burks@...11827...</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Joel,<br>
<br>
Pulledpork 0.7 on Ubuntu 12.04 results in the following:<br>
<br>
Checking latest MD5 for snortrules-snapshot-2970.tar.gz....<br>
Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5<br>
** GET <a href="https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED" target="_blank">https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED</a><br>
==> 500 Can't connect to <a href="http://www.snort.org:443/" target="_blank">www.snort.org:443</a> (certificate verify failed)<br>
Error 500 when fetching<br>
<a href="https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5" target="_blank">https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5</a> at<br>
<a href="http://pulledpork.pl/" target="_blank">pulledpork.pl</a> line 463.<br>
main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz",<br>
"/tmp/", "<a href="https://www.snort.org/reg-rules/" target="_blank">https://www.snort.org/reg-rules/</a>") called at <a href="http://pulledpork.pl/" target="_blank">pulledpork.pl</a><br>
line 1847<br>
<br>
Thanks!<br>
<div><div><br>
On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>> wrote:<br>
> We have moved to Cloudflare to balance the traffic we are receiving on the<br>
> site.  We had a particular user that shared an oinkcode somewhere, and as a<br>
> result we were dealing with over 35 Millon downloads a day, so we had to<br>
> upgrade a bit.<br>
><br>
> We have heard that older versions (or perhaps older cert trusts) of curl and<br>
> wget are having a problem navigating through Cloudflare over to the site.<br>
> It’s difficult for us to pin down as our tests work, and download numbers<br>
> are staying constant, however, we have had a few people (like yourselves)<br>
> say you can’t reach the site.<br>
><br>
> I suggest the above.  (versions of curl/wget/cert trusts) and let me know<br>
> your results.<br>
><br>
> --<br>
> Joel Esler<br>
> Open Source Manager<br>
> Threat Intelligence Team Lead<br>
> Talos<br>
><br>
><br>
><br>
><br>
><br>
> On Dec 11, 2014, at 5:58 AM, <a href="mailto:elof@...6680..." target="_blank">elof@...6680...</a> wrote:<br>
><br>
><br>
> I too have this annoying issue.<br>
><br>
> wget -v --debug '<a href="https://www.snort.org/" target="_blank">https://www.snort.org/</a>'<br>
> DEBUG output created by Wget 1.13.4 on linux-gnu.<br>
><br>
> URI encoding = `UTF-8'<br>
> --2014-12-10 11:49:27--  <a href="https://www.snort.org/" target="_blank">https://www.snort.org/</a><br>
> Resolving <a href="http://www.snort.org/" target="_blank">www.snort.org</a> (<a href="http://www.snort.org/" target="_blank">www.snort.org</a>)... 104.28.24.35, 104.28.25.35,<br>
> 2400:cb00:2048:1::681c:1823, ...<br>
> Caching <a href="http://www.snort.org/" target="_blank">www.snort.org</a> => 104.28.24.35 104.28.25.35<br>
> 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923<br>
> Connecting to <a href="http://www.snort.org/" target="_blank">www.snort.org</a> (<a href="http://www.snort.org/" target="_blank">www.snort.org</a>)|104.28.24.35|:443...<br>
> connected.<br>
> Created socket 4.<br>
> Releasing 0x0000000002278790 (new refcount 1).<br>
> GnuTLS: A TLS fatal alert has been received.<br>
> Closed fd 4<br>
> Unable to establish SSL connection.<br>
><br>
><br>
><br>
> If you use Debian Stable you get wget 1.13.4.<br>
> Googling the error message hints that you need wget >= 1.15.<br>
><br>
><br>
> Do anyone have a workaround? I don't want to compile the latest wget<br>
> manually, since this breaks the ability to easily keep everything<br>
> up to date with 'apt-get upgrade'.<br>
><br>
> /Elof<br>
><br>
><br>
> On Wed, 10 Dec 2014, waldo kitty wrote:<br>
><br>
> On 12/10/2014 6:56 PM, Cary Townsend wrote:<br>
><br>
> Hi All,<br>
><br>
> We use wget to obtain rule updates from <a href="http://snort.org/" target="_blank">snort.org</a> with our oink code, but it<br>
> is now broken.  Apparently, <a href="http://snort.org/" target="_blank">snort.org</a> is now behind cloudflare, which denies<br>
> direct IP access.  Basically, the cert wget ultimately receives is<br>
> cloudflare's cert, not <a href="http://snort.org/" target="_blank">snort.org</a>'s.  A web browser seems to get redirected<br>
> somehow to the real snort site and gets the <a href="http://snort.org/" target="_blank">snort.org</a> cert.  Thoughts?<br>
><br>
><br>
> wget works fine over here...  we've not seen any problems using it other<br>
> than a<br>
> few niggles here and there that were easily taken care of...<br>
><br>
> do you perhaps mean amazonaws instead of cloudfare?<br>
><br>
> what url are you using to get the rules? (obfuscate your oinkcode)<br>
><br>
> what version of snort are you trying to get rules for?<br>
><br>
> --<br>
> NOTE: No off-list assistance is given without prior approval.<br>
>       Please *keep mailing list traffic on the list* unless<br>
>       private contact is specifically requested and granted.<br>
><br>
> ------------------------------------------------------------------------------<br>
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br>
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br>
> with Interactivity, Sharing, Native Excel Exports, App Integration & more<br>
> Get technology previously reserved for billion-dollar corporations, FREE<br>
> <a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk</a><br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> <a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
> Snort-users list archive:<br>
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
><br>
> Please visit <a href="http://blog.snort.org/" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort<br>
> news!<br>
><br>
><br>
> ------------------------------------------------------------------------------<br>
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br>
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br>
> with Interactivity, Sharing, Native Excel Exports, App Integration & more<br>
> Get technology previously reserved for billion-dollar corporations, FREE<br>
> <a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk</a><br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> <a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
> Snort-users list archive:<br>
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
><br>
> Please visit <a href="http://blog.snort.org/" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort<br>
> news!<br>
><br>
><br>
><br>
> ------------------------------------------------------------------------------<br>
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br>
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br>
> with Interactivity, Sharing, Native Excel Exports, App Integration & more<br>
> Get technology previously reserved for billion-dollar corporations, FREE<br>
> <a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk</a><br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> <a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
> Snort-users list archive:<br>
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
><br>
> Please visit <a href="http://blog.snort.org/" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort<br>
> news!<br>
<br>
<br>
<br>
--<br>
</div></div><span><font color="#888888">Doug Burks<br>
Need Security Onion Training or Commercial Support?<br>
<a href="http://securityonionsolutions.com/" target="_blank">http://securityonionsolutions.com</a><br>
Last day to register for 3-Day Training Class in Augusta GA is 12/11!<br>
</font></span><div><div><br>
------------------------------------------------------------------------------<br>
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br>
from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br>
with Interactivity, Sharing, Native Excel Exports, App Integration & more<br>
Get technology previously reserved for billion-dollar corporations, FREE<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org/" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</div></div></blockquote></div><br clear="all"><div><br></div>-- <br><div><table border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse"> <tbody><tr> <td width="90" valign="top" style="width:1.25in;padding:0in 5.4pt 0in 5.4pt"><p><br><img width="98" height="65" src="http://www.catbird.com/assets/images/catbird_logo_210x142.png"></p> </td>  <td width="202" valign="top" style="width:202.0pt;padding:0in 5.4pt 0in 5.4pt"><p><span style="font-size:11.0pt;font-family:Arial"><span>Cary</span> Townsend<br> Senior Engineer<br> <a href="mailto:ctownsend@...17040..." target="_blank">ctownsend@...17040...</a><br> <a href="tel:1-866-682-0080" value="+18666820080" target="_blank">1-866-682-0080</a><br> <a href="http://www.catbird.com/" target="_blank">www.catbird.com</a></span></p> </td> </tr> </tbody></table></div>
</div>
------------------------------------------------------------------------------<br>Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br>from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br>with Interactivity, Sharing, Native Excel Exports, App Integration & more<br>Get technology previously reserved for billion-dollar corporations, FREE<br><a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________</a><br>Snort-users mailing list<br><a href="mailto:Snort-users@...1844...ourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>Go to this URL to change user options or unsubscribe:<br><a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>Snort-users list archive:<br><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br><br>Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</div></blockquote></div><br></div></div></div></div></blockquote></div><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><table border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse"> <tr> <td width="90" valign="top" style="width:1.25in;padding:0in 5.4pt 0in 5.4pt"> <p><br><img width="98" height="65" src="http://www.catbird.com/assets/images/catbird_logo_210x142.png"></p> </td>  <td width="202" valign="top" style="width:202.0pt;padding:0in 5.4pt 0in 5.4pt"> <p><span style="font-size:11.0pt;font-family:Arial"><span>Cary</span> Townsend<br> Senior Engineer<br> <a href="mailto:ctownsend@...17040..." target="_blank">ctownsend@...17040...</a><br> 1-866-682-0080<br> <a href="http://www.catbird.com" target="_blank">www.catbird.com</a></span></p> </td> </tr> </table></div>
</div>