Snort mailing list archives
Re: Rules updates broken?
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 12 Dec 2014 17:39:45 +0000
We are working to resolve the issue right now, sorry for the inconvenience. -- Joel Esler Sent from my iPhone On Dec 12, 2014, at 12:38 PM, Cary Townsend <ctownsend () catbird com<mailto:ctownsend () catbird com>> wrote: Looking through our logs, it doesn't seem to support the DDOS theory; it never worked after the switch. The snippets below illustrate the last working request, the transition, then the first attempt at the new address, which fails: . . --2014-12-08 14:04:01-- https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx Resolving www.snort.org<http://www.snort.org>... 23.21.42.154, 54.235.138.160, 174.129.239.220 Connecting to www.snort.org<http://www.snort.org>|23.21.42.154|:443... connected. HTTP request sent, awaiting response... . . . --2014-12-08 15:04:01-- https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx Resolving www.snort.org<http://www.snort.org>... failed: Temporary failure in name resolution. wget: unable to resolve host address `www.snort.org<http://www.snort.org>' . . . --2014-12-08 16:04:01-- https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=xxxx Resolving www.snort.org<http://www.snort.org>... 104.28.25.35, 104.28.24.35 Connecting to www.snort.org<http://www.snort.org>|104.28.25.35|:443... connected. ERROR: no certificate subject alternative name matches . . . On Fri, Dec 12, 2014 at 7:52 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: The system should allow that many queries, and if it doesn’t we’re going to abandon it! Looking into it On Dec 12, 2014, at 10:44 AM, Cary Townsend <ctownsend () catbird com<mailto:ctownsend () catbird com>> wrote: Sorry, I went off-list for a bit. wget 1.16 works fine from another machine (windows / cygwin), so the latest theory is that it has to do with our server. I'm thinking the DDOS service of cloudflare is activated by our hourly checks for new rules... On Thu, Dec 11, 2014 at 7:22 AM, Doug Burks <doug.burks () gmail com<mailto:doug.burks () gmail com>> wrote: Hi Joel, Pulledpork 0.7 on Ubuntu 12.04 results in the following: Checking latest MD5 for snortrules-snapshot-2970.tar.gz.... Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5 ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED ==> 500 Can't connect to www.snort.org:443<http://www.snort.org:443/> (certificate verify failed) Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at pulledpork.pl<http://pulledpork.pl/> line 463. main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz", "/tmp/", "https://www.snort.org/reg-rules/";) called at pulledpork.pl<http://pulledpork.pl/> line 1847 Thanks! On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:
We have moved to Cloudflare to balance the traffic we are receiving on the site. We had a particular user that shared an oinkcode somewhere, and as a result we were dealing with over 35 Millon downloads a day, so we had to upgrade a bit. We have heard that older versions (or perhaps older cert trusts) of curl and wget are having a problem navigating through Cloudflare over to the site. It’s difficult for us to pin down as our tests work, and download numbers are staying constant, however, we have had a few people (like yourselves) say you can’t reach the site. I suggest the above. (versions of curl/wget/cert trusts) and let me know your results. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Dec 11, 2014, at 5:58 AM, elof () sentor se<mailto:elof () sentor se> wrote: I too have this annoying issue. wget -v --debug 'https://www.snort.org/' DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' --2014-12-10 11:49:27-- https://www.snort.org/ Resolving www.snort.org<http://www.snort.org/> (www.snort.org<http://www.snort.org/>)... 104.28.24.35, 104.28.25.35, 2400:cb00:2048:1::681c:1823, ... Caching www.snort.org<http://www.snort.org/> => 104.28.24.35 104.28.25.35 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923 Connecting to www.snort.org<http://www.snort.org/> (www.snort.org<http://www.snort.org/>)|104.28.24.35|:443... connected. Created socket 4. Releasing 0x0000000002278790 (new refcount 1). GnuTLS: A TLS fatal alert has been received. Closed fd 4 Unable to establish SSL connection. If you use Debian Stable you get wget 1.13.4. Googling the error message hints that you need wget >= 1.15. Do anyone have a workaround? I don't want to compile the latest wget manually, since this breaks the ability to easily keep everything up to date with 'apt-get upgrade'. /Elof On Wed, 10 Dec 2014, waldo kitty wrote: On 12/10/2014 6:56 PM, Cary Townsend wrote: Hi All, We use wget to obtain rule updates from snort.org<http://snort.org/> with our oink code, but it is now broken. Apparently, snort.org<http://snort.org/> is now behind cloudflare, which denies direct IP access. Basically, the cert wget ultimately receives is cloudflare's cert, not snort.org<http://snort.org/>'s. A web browser seems to get redirected somehow to the real snort site and gets the snort.org<http://snort.org/> cert. Thoughts? wget works fine over here... we've not seen any problems using it other than a few niggles here and there that were easily taken care of... do you perhaps mean amazonaws instead of cloudfare? what url are you using to get the rules? (obfuscate your oinkcode) what version of snort are you trying to get rules for? -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
-- Doug Burks Need Security Onion Training or Commercial Support? http://securityonionsolutions.com<http://securityonionsolutions.com/> Last day to register for 3-Day Training Class in Augusta GA is 12/11! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! -- [http://www.catbird.com/assets/images/catbird_logo_210x142.png] Cary Townsend Senior Engineer ctownsend () catbird com<mailto:ctownsend () catbird com> 1-866-682-0080<tel:1-866-682-0080> www.catbird.com<http://www.catbird.com/> ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- [http://www.catbird.com/assets/images/catbird_logo_210x142.png] Cary Townsend Senior Engineer ctownsend () catbird com<mailto:ctownsend () catbird com> 1-866-682-0080 www.catbird.com<http://www.catbird.com> ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules updates broken? Cary Townsend (Dec 10)
- Re: Rules updates broken? waldo kitty (Dec 10)
- Re: Rules updates broken? elof (Dec 11)
- Re: Rules updates broken? Joel Esler (jesler) (Dec 11)
- Re: Rules updates broken? Doug Burks (Dec 11)
- Re: Rules updates broken? René Bauer (Dec 11)
- Re: Rules updates broken? Cary Townsend (Dec 12)
- Re: Rules updates broken? Joel Esler (jesler) (Dec 12)
- Re: Rules updates broken? Cary Townsend (Dec 12)
- Re: Rules updates broken? Joel Esler (jesler) (Dec 12)
- Re: Rules updates broken? Cary Townsend (Dec 15)
- Re: Rules updates broken? Joel Esler (jesler) (Dec 15)
- Re: Rules updates broken? elof (Dec 11)
- Re: Rules updates broken? waldo kitty (Dec 10)