Snort mailing list archives
Re: PulledPork 500 error
From: Dave Corsello <snort-users () wintertreemedia com>
Date: Sun, 13 Apr 2014 00:10:36 -0400
My apologies. I can't find the IP address in any backup of the IP
blacklist. I assumed the address must have been in the blacklist
because of the following alerts in BASE:
#4-(2-1375)
<http://base2.wintertreemedia.com/base_qry_alert.php?submit=%234-%282-1375%29&sort_order=time_a>
[snort <http://www.snort.org/search/sid/136-1>] reputation: Packet is
blacklisted 2014-04-11 XX:XX:XX XX.XX.XX.XX
<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:56579
23.23.165.79
<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
TCP
#5-(2-1376)
<http://base2.wintertreemedia.com/base_qry_alert.php?submit=%235-%282-1376%29&sort_order=time_a>
[snort <http://www.snort.org/search/sid/136-1>] reputation: Packet is
blacklisted 2014-04-11 XX:XX:XX XX.XX.XX.XX
<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:56579
23.23.165.79
<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
TCP
#6-(1-45791)
<http://base2.wintertreemedia.com/base_qry_alert.php?submit=%236-%281-45791%29&sort_order=time_a>
[snort <http://www.snort.org/search/sid/136-1>] reputation: Packet is
blacklisted 2014-04-11 XX:XX:XX XX.XX.XX.XX
<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:43678
23.23.165.79
<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
TCP
#7-(1-45792)
<http://base2.wintertreemedia.com/base_qry_alert.php?submit=%237-%281-45792%29&sort_order=time_a>
[snort <http://www.snort.org/search/sid/136-1>] reputation: Packet is
blacklisted 2014-04-11 XX:XX:XX XX.XX.XX.XX
<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:43678
23.23.165.79
<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443
TCP
Internal IPs and times are obscured. It appears that neither source nor
destination IPs should have been blacklisted, but BASE reports them as
having been blacklisted by Snort. The packets were dropped; the times
and internal IPs correspond to the failed pulledpork jobs.
On 4/12/2014 9:28 AM, Joel Esler (jesler) wrote:
The ip blacklist? -- Joel Esler Sent from my iPhoneOn Apr 12, 2014, at 7:05, "Dave Corsello" <snort-users () wintertreemedia com> wrote: The problem is that the IP address of the Amazon server from which PulledPork pulls VRT rules was added by VRT to the default blacklist. Any ideas why they might have done this?On 4/11/2014 2:20 PM, waldo kitty wrote:On 4/11/2014 10:41 AM, Dave Corsello wrote: I got the following error in PulledPork last night: "A 500 error occurred, please verify that you have recently updated your root certificates!" I made no changes. Any ideas what might be happening?"root certificates" sounds like ssl certificates... heartbleed... wanna bet that some certificates have been updated during heartbleed remediation and you now need to update the certificates your system(s) use...------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PulledPork 500 error Dave Corsello (Apr 11)
- Re: PulledPork 500 error waldo kitty (Apr 11)
- Re: PulledPork 500 error Dave Corsello (Apr 12)
- Re: PulledPork 500 error Joel Esler (jesler) (Apr 12)
- Re: PulledPork 500 error Dave Corsello (Apr 12)
- Re: PulledPork 500 error Dave Corsello (Apr 15)
- Re: PulledPork 500 error Dave Corsello (Apr 16)
- Re: PulledPork 500 error Joel Esler (jesler) (Apr 16)
- Re: PulledPork 500 error Dave Corsello (Apr 16)
- Re: PulledPork 500 error Joel Esler (jesler) (Apr 16)
- Re: PulledPork 500 error Dave Corsello (Apr 16)
- Re: PulledPork 500 error Dave Corsello (Apr 12)
- Re: PulledPork 500 error waldo kitty (Apr 11)