Snort mailing list archives
Re: Rules updates broken?
From: René Bauer <r.bauer () on-collect de>
Date: Thu, 11 Dec 2014 17:09:04 +0100
Hi Guys, we can confirm the following: Ubuntu 14.04: * pulledpork: OK * wget: OK * curl: OK wget -V: GNU Wget 1.15 übersetzt unter linux-gnu. +digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl Wgetrc: /etc/wgetrc (System) Lokale: /usr/share/locale Übersetzt: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib -I../../lib -D_FORTIFY_SOURCE=2 -I/usr/include -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall Gebunden: gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-Bsymbolic-functions -Wl,-z,relro -L/usr/lib -lssl -lcrypto -ldl -lz -lidn -luuid ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a curl -V:curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
SLES 11 SP3: * pulledpork: no chance * wget: certificate problem / works with --no-check-certificate * curl: SSLv3 handshake problem / can't force TLS wget -V: GNU Wget 1.11.4 curl -V:curl 7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.7 libidn/1.10
Protocols: tftp ftp telnet dict ldap http file https ftps Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libzSo I think Joel is right. Its just a problem with older versions of wget and curl. We also tried using ca-cert path from Ubuntu under SLES with no success (curl --capath, wget --ca-directory). So I would say its no cert issue but a problem while "handshaking" (protocols and ciphers).
We use the following workaround on SLES now: wget -v --no-check-certificatehttps://www.snort.org/rules/snortrules-snapshot-2962.tar.gz.md5?oinkcode=<code> <https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz.md5?oinkcode=2fc754f30e469bc23a8a9c41199ea074bfef9da2> -O /tmp/snortrules-snapshot-2962.tar.gz.md5 wget -v --no-check-certificatehttps://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=<code> <https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=2fc754f30e469bc23a8a9c41199ea074bfef9da2> -O /tmp/snortrules-snapshot-2962.tar.gz /opt/pulledpork-0.7.0/pulledpork.pl -c /opt/pulledpork-0.7.0/etc/pulledpork.conf -P -H -T -n Edit URLs and paths as required. Hth. Ciao, Rene Am 11.12.14 um 16:22 schrieb Doug Burks:
Hi Joel, Pulledpork 0.7 on Ubuntu 12.04 results in the following: Checking latest MD5 for snortrules-snapshot-2970.tar.gz.... Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5 ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/OINKCODE-REDACTED ==> 500 Can't connect to www.snort.org:443 (certificate verify failed) Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at pulledpork.pl line 463. main::md5file("OINKCODE-REDACTED", "snortrules-snapshot-2970.tar.gz", "/tmp/", "https://www.snort.org/reg-rules/") called at pulledpork.pl line 1847 Thanks! On Thu, Dec 11, 2014 at 9:30 AM, Joel Esler (jesler) <jesler () cisco com> wrote:We have moved to Cloudflare to balance the traffic we are receiving on the site. We had a particular user that shared an oinkcode somewhere, and as a result we were dealing with over 35 Millon downloads a day, so we had to upgrade a bit. We have heard that older versions (or perhaps older cert trusts) of curl and wget are having a problem navigating through Cloudflare over to the site. It’s difficult for us to pin down as our tests work, and download numbers are staying constant, however, we have had a few people (like yourselves) say you can’t reach the site. I suggest the above. (versions of curl/wget/cert trusts) and let me know your results. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Dec 11, 2014, at 5:58 AM, elof () sentor se wrote: I too have this annoying issue. wget -v --debug 'https://www.snort.org/' DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' --2014-12-10 11:49:27-- https://www.snort.org/ Resolving www.snort.org (www.snort.org)... 104.28.24.35, 104.28.25.35, 2400:cb00:2048:1::681c:1823, ... Caching www.snort.org => 104.28.24.35 104.28.25.35 2400:cb00:2048:1::681c:1823 2400:cb00:2048:1::681c:1923 Connecting to www.snort.org (www.snort.org)|104.28.24.35|:443... connected. Created socket 4. Releasing 0x0000000002278790 (new refcount 1). GnuTLS: A TLS fatal alert has been received. Closed fd 4 Unable to establish SSL connection. If you use Debian Stable you get wget 1.13.4. Googling the error message hints that you need wget >= 1.15. Do anyone have a workaround? I don't want to compile the latest wget manually, since this breaks the ability to easily keep everything up to date with 'apt-get upgrade'. /Elof On Wed, 10 Dec 2014, waldo kitty wrote: On 12/10/2014 6:56 PM, Cary Townsend wrote: Hi All, We use wget to obtain rule updates from snort.org with our oink code, but it is now broken. Apparently, snort.org is now behind cloudflare, which denies direct IP access. Basically, the cert wget ultimately receives is cloudflare's cert, not snort.org's. A web browser seems to get redirected somehow to the real snort site and gets the snort.org cert. Thoughts? wget works fine over here... we've not seen any problems using it other than a few niggles here and there that were easily taken care of... do you perhaps mean amazonaws instead of cloudfare? what url are you using to get the rules? (obfuscate your oinkcode) what version of snort are you trying to get rules for? -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Mit freundlichen Grüßen René Bauer on-collect solutions AG Standorte: Karlstraße 3 in 89073 Ulm Marktplatz 20 in 89257 Illertissen Telefon: +49 (0) 73 03 – 95 28 94 - 550 Fax: +49 (0) 73 03 – 95 28 94 - 511 E-Mail: r.bauer () on-collect de <mailto:r.bauer () on-collect de> Web: www.on-collect.de <http://www.on-collect.de> Vorstand Dr. Joachim Schmid Vorsitzender des Aufsichtsrates Dr. Georg Nüßlein Amtsgericht Ulm HRB 730793 - Steuernummer: DE246631672 _____________________________________________________________Diese E-Mail enthält vertrauliche und rechtlich geschützte Informationen und gilt ohne Unterschrift. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese Nachricht. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
_____________________________________________________________This e-mail is confidential and may well also be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence. Thank you for your cooperation.
_____________________________________________________________
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules updates broken? Cary Townsend (Dec 10)
- Re: Rules updates broken? waldo kitty (Dec 10)
- Re: Rules updates broken? elof (Dec 11)
- Re: Rules updates broken? Joel Esler (jesler) (Dec 11)
- Re: Rules updates broken? Doug Burks (Dec 11)
- Re: Rules updates broken? René Bauer (Dec 11)
- Re: Rules updates broken? Cary Townsend (Dec 12)
- Re: Rules updates broken? Joel Esler (jesler) (Dec 12)
- Re: Rules updates broken? Cary Townsend (Dec 12)
- Re: Rules updates broken? Joel Esler (jesler) (Dec 12)
- Re: Rules updates broken? Cary Townsend (Dec 15)
- Re: Rules updates broken? Joel Esler (jesler) (Dec 15)
- Re: Rules updates broken? elof (Dec 11)
- Re: Rules updates broken? waldo kitty (Dec 10)