<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The system should allow that many queries, and if it doesn’t we’re going to abandon it!<div class=""><br class=""></div><div class="">Looking into it</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Dec 12, 2014, at 10:44 AM, Cary Townsend <<a href="mailto:ctownsend@...17040..." class="">ctownsend@...17040...</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class="">Sorry, I went off-list for a bit.  wget 1.16 works fine from another machine (windows / cygwin), so the latest theory is that it has to do with our server.  I'm thinking the DDOS service of cloudflare is activated by our hourly checks for new rules...</div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Thu, Dec 11, 2014 at 7:22 AM, Doug Burks <span dir="ltr" class=""><<a href="mailto:doug.burks@...11827..." target="_blank" class="">doug.burks@...11827...</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Joel,<br class="">
<br class="">
Pulledpork 0.7 on Ubuntu 12.04 results in the following:<br class="">
<br class="">
Checking latest MD5 for snortrules-snapshot-2970.tar.gz....<br class="">
Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5<br class="">
** GET <a href="https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED" target="_blank" class="">https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED</a><br class="">
==> 500 Can't connect to <a href="http://www.snort.org:443/" target="_blank" class="">www.snort.org:443</a> (certificate verify failed)<br class="">
Error 500 when fetching<br class="">
<a href="https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5" target="_blank" class="">https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5</a> at<br class="">
<a href="http://pulledpork.pl/" target="_blank" class="">pulledpork.pl</a> line 463.<br class="">
main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz",<br class="">
"/tmp/", "<a href="https://www.snort.org/reg-rules/" target="_blank" class="">https://www.snort.org/reg-rules/</a>") called at <a href="http://pulledpork.pl/" target="_blank" class="">pulledpork.pl</a><br class="">
line 1847<br class="">
<br class="">
Thanks!<br class="">
<div class="HOEnZb"><div class="h5"><br class="">
On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <<a href="mailto:jesler@...589..." class="">jesler@...589...</a>> wrote:<br class="">
> We have moved to Cloudflare to balance the traffic we are receiving on the<br class="">
> site.  We had a particular user that shared an oinkcode somewhere, and as a<br class="">
> result we were dealing with over 35 Millon downloads a day, so we had to<br class="">
> upgrade a bit.<br class="">
><br class="">
> We have heard that older versions (or perhaps older cert trusts) of curl and<br class="">
> wget are having a problem navigating through Cloudflare over to the site.<br class="">
> It’s difficult for us to pin down as our tests work, and download numbers<br class="">
> are staying constant, however, we have had a few people (like yourselves)<br class="">
> say you can’t reach the site.<br class="">
><br class="">
> I suggest the above.  (versions of curl/wget/cert trusts) and let me know<br class="">
> your results.<br class="">
><br class="">
> --<br class="">
> Joel Esler<br class="">
> Open Source Manager<br class="">
> Threat Intelligence Team Lead<br class="">
> Talos<br class="">
><br class="">
><br class="">
><br class="">
><br class="">
><br class="">
> On Dec 11, 2014, at 5:58 AM, <a href="mailto:elof@...6680..." class="">elof@...6680...</a> wrote:<br class="">
><br class="">
><br class="">
> I too have this annoying issue.<br class="">
><br class="">
> wget -v --debug '<a href="https://www.snort.org/" target="_blank" class="">https://www.snort.org/</a>'<br class="">
> DEBUG output created by Wget 1.13.4 on linux-gnu.<br class="">
><br class="">
> URI encoding = `UTF-8'<br class="">
> --2014-12-10 11:49:27--  <a href="https://www.snort.org/" target="_blank" class="">https://www.snort.org/</a><br class="">
> Resolving <a href="http://www.snort.org/" target="_blank" class="">www.snort.org</a> (<a href="http://www.snort.org/" target="_blank" class="">www.snort.org</a>)... 104.28.24.35, 104.28.25.35,<br class="">
> 2400:cb00:2048:1::681c:1823, ...<br class="">
> Caching <a href="http://www.snort.org/" target="_blank" class="">www.snort.org</a> => 104.28.24.35 104.28.25.35<br class="">
> 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923<br class="">
> Connecting to <a href="http://www.snort.org/" target="_blank" class="">www.snort.org</a> (<a href="http://www.snort.org/" target="_blank" class="">www.snort.org</a>)|104.28.24.35|:443...<br class="">
> connected.<br class="">
> Created socket 4.<br class="">
> Releasing 0x0000000002278790 (new refcount 1).<br class="">
> GnuTLS: A TLS fatal alert has been received.<br class="">
> Closed fd 4<br class="">
> Unable to establish SSL connection.<br class="">
><br class="">
><br class="">
><br class="">
> If you use Debian Stable you get wget 1.13.4.<br class="">
> Googling the error message hints that you need wget >= 1.15.<br class="">
><br class="">
><br class="">
> Do anyone have a workaround? I don't want to compile the latest wget<br class="">
> manually, since this breaks the ability to easily keep everything<br class="">
> up to date with 'apt-get upgrade'.<br class="">
><br class="">
> /Elof<br class="">
><br class="">
><br class="">
> On Wed, 10 Dec 2014, waldo kitty wrote:<br class="">
><br class="">
> On 12/10/2014 6:56 PM, Cary Townsend wrote:<br class="">
><br class="">
> Hi All,<br class="">
><br class="">
> We use wget to obtain rule updates from <a href="http://snort.org/" target="_blank" class="">snort.org</a> with our oink code, but it<br class="">
> is now broken.  Apparently, <a href="http://snort.org/" target="_blank" class="">snort.org</a> is now behind cloudflare, which denies<br class="">
> direct IP access.  Basically, the cert wget ultimately receives is<br class="">
> cloudflare's cert, not <a href="http://snort.org/" target="_blank" class="">snort.org</a>'s.  A web browser seems to get redirected<br class="">
> somehow to the real snort site and gets the <a href="http://snort.org/" target="_blank" class="">snort.org</a> cert.  Thoughts?<br class="">
><br class="">
><br class="">
> wget works fine over here...  we've not seen any problems using it other<br class="">
> than a<br class="">
> few niggles here and there that were easily taken care of...<br class="">
><br class="">
> do you perhaps mean amazonaws instead of cloudfare?<br class="">
><br class="">
> what url are you using to get the rules? (obfuscate your oinkcode)<br class="">
><br class="">
> what version of snort are you trying to get rules for?<br class="">
><br class="">
> --<br class="">
> NOTE: No off-list assistance is given without prior approval.<br class="">
>       Please *keep mailing list traffic on the list* unless<br class="">
>       private contact is specifically requested and granted.<br class="">
><br class="">
> ------------------------------------------------------------------------------<br class="">
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br class="">
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br class="">
> with Interactivity, Sharing, Native Excel Exports, App Integration & more<br class="">
> Get technology previously reserved for billion-dollar corporations, FREE<br class="">
> <a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk" target="_blank" class="">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk</a><br class="">
> _______________________________________________<br class="">
> Snort-users mailing list<br class="">
> <a href="mailto:Snort-users@lists.sourceforge.net" class="">Snort-users@lists.sourceforge.net</a><br class="">
> Go to this URL to change user options or unsubscribe:<br class="">
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank" class="">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br class="">
> Snort-users list archive:<br class="">
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank" class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br class="">
><br class="">
> Please visit <a href="http://blog.snort.org/" target="_blank" class="">http://blog.snort.org</a> to stay current on all the latest Snort<br class="">
> news!<br class="">
><br class="">
><br class="">
> ------------------------------------------------------------------------------<br class="">
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br class="">
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br class="">
> with Interactivity, Sharing, Native Excel Exports, App Integration & more<br class="">
> Get technology previously reserved for billion-dollar corporations, FREE<br class="">
> <a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk" target="_blank" class="">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk</a><br class="">
> _______________________________________________<br class="">
> Snort-users mailing list<br class="">
> <a href="mailto:Snort-users@lists.sourceforge.net" class="">Snort-users@lists.sourceforge.net</a><br class="">
> Go to this URL to change user options or unsubscribe:<br class="">
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank" class="">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br class="">
> Snort-users list archive:<br class="">
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank" class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br class="">
><br class="">
> Please visit <a href="http://blog.snort.org/" target="_blank" class="">http://blog.snort.org</a> to stay current on all the latest Snort<br class="">
> news!<br class="">
><br class="">
><br class="">
><br class="">
> ------------------------------------------------------------------------------<br class="">
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br class="">
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br class="">
> with Interactivity, Sharing, Native Excel Exports, App Integration & more<br class="">
> Get technology previously reserved for billion-dollar corporations, FREE<br class="">
> <a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk" target="_blank" class="">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk</a><br class="">
> _______________________________________________<br class="">
> Snort-users mailing list<br class="">
> <a href="mailto:Snort-users@lists.sourceforge.net" class="">Snort-users@lists.sourceforge.net</a><br class="">
> Go to this URL to change user options or unsubscribe:<br class="">
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank" class="">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br class="">
> Snort-users list archive:<br class="">
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank" class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br class="">
><br class="">
> Please visit <a href="http://blog.snort.org/" target="_blank" class="">http://blog.snort.org</a> to stay current on all the latest Snort<br class="">
> news!<br class="">
<br class="">
<br class="">
<br class="">
--<br class="">
</div></div><span class="HOEnZb"><font color="#888888" class="">Doug Burks<br class="">
Need Security Onion Training or Commercial Support?<br class="">
<a href="http://securityonionsolutions.com/" target="_blank" class="">http://securityonionsolutions.com</a><br class="">
Last day to register for 3-Day Training Class in Augusta GA is 12/11!<br class="">
</font></span><div class="HOEnZb"><div class="h5"><br class="">
------------------------------------------------------------------------------<br class="">
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br class="">
from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br class="">
with Interactivity, Sharing, Native Excel Exports, App Integration & more<br class="">
Get technology previously reserved for billion-dollar corporations, FREE<br class="">
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk" target="_blank" class="">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk</a><br class="">
_______________________________________________<br class="">
Snort-users mailing list<br class="">
<a href="mailto:Snort-users@lists.sourceforge.net" class="">Snort-users@lists.sourceforge.net</a><br class="">
Go to this URL to change user options or unsubscribe:<br class="">
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank" class="">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br class="">
Snort-users list archive:<br class="">
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank" class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br class="">
<br class="">
Please visit <a href="http://blog.snort.org/" target="_blank" class="">http://blog.snort.org</a> to stay current on all the latest Snort news!</div></div></blockquote></div><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div class="gmail_signature"><table border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse" class=""> <tbody class=""><tr class=""> <td width="90" valign="top" style="width:1.25in;padding:0in 5.4pt 0in 5.4pt" class=""><p class=""><br class=""><img width="98" height="65" src="http://www.catbird.com/assets/images/catbird_logo_210x142.png" class=""></p> </td>  <td width="202" valign="top" style="width:202.0pt;padding:0in 5.4pt 0in 5.4pt" class=""><p class=""><span style="font-size:11.0pt;font-family:Arial" class=""><span class="">Cary</span> Townsend<br class=""> Senior Engineer<br class=""> <a href="mailto:ctownsend@...17040..." target="_blank" class="">ctownsend@...17040...</a><br class=""> 1-866-682-0080<br class=""> <a href="http://www.catbird.com/" target="_blank" class="">www.catbird.com</a></span></p> </td> </tr> </tbody></table></div>
</div>
------------------------------------------------------------------------------<br class="">Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<br class="">from Actuate! Instantly Supercharge Your Business Reports and Dashboards<br class="">with Interactivity, Sharing, Native Excel Exports, App Integration & more<br class="">Get technology previously reserved for billion-dollar corporations, FREE<br class=""><a href="http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________" class="">http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________</a><br class="">Snort-users mailing list<br class="">Snort-users@lists.sourceforge.net<br class="">Go to this URL to change user options or unsubscribe:<br class="">https://lists.sourceforge.net/lists/listinfo/snort-users<br class="">Snort-users list archive:<br class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<br class=""><br class="">Please visit http://blog.snort.org to stay current on all the latest Snort news!</div></blockquote></div><br class=""></div></body></html>