Snort mailing list archives

Pulledpork error at blacklist download

From: David Corsello <snort-users () wintertreemedia com>
Date: Wed, 2 May 2018 13:13:52 -0400

Much of this is related more to Linux than to Snort, but I'm hoping someone
can offer help.

I purchased a mini PC with decent specs to use as a Snort sensor. The one
limitation that I missed prior to purchase is that the highest version of
Ubuntu that it supports is 12.04.1. That OS is now installed. Snort
2.9.11.1 is installed and running. Pulledpork fails at the blacklist
download.

Pulledpork.conf contains the following:

rule_url=
https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|oinkcodexxxxxxxxxxxxxxxxxxxxxx

When run, it gives the following error:

IP Blacklist download of
https://talosintelligence.com/documents/ip-blacklist....
** GET https://talosintelligence.com/documents/ip-blacklist ==> 500 Can't
connect to talosintelligence.com:443
Error downloading https://talosintelligence.com/documents/ip-blacklist: 500
Can't connect to talosintelligence.com:443 [ 500 ]

GET from the command line gives the following error:

root@IPS:~# GET "
https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|oinkcodexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
Can't connect to talosintelligence.com:443

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown
errorerror:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
protocol version at /usr/share/perl5/LWP/Protocol/http.pm line 51.Unable to
establish SSL connection.

Upgrading openssl to ver. 1.0.2o didn't fix this. I'm researching if it's
possible to upgrade libwww-perl from ver 6.03 on Ubuntu 12.04.

Any other suggestions?

As a workaround, I tried to download the blacklist to an intermediate,
hosted server, from which I would then have downloaded to the sensor using
pulledpork. When I ran the GET command on the hosted server, I got the
message:

"The owner of this website (talosintelligence.com) has banned your access
based on your browser's signature (414c086aabdc2312-ua24)."

Does this mean that the oinkcode is now permanently banned from downloading
the blacklist, or was only this access blocked?

Thanks.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Pulledpork error at blacklist download David Corsello (May 02)
- Re: Pulledpork error at blacklist download David Corsello (May 02)
- Re: Pulledpork error at blacklist download Joel Esler (jesler) via Snort-users (May 02)