Snort mailing list archives

Re: Pulledpork error at blacklist download

From: David Corsello <snort-users () wintertreemedia com>
Date: Wed, 2 May 2018 14:17:02 -0400

Please disregard this question.  I was able to download a blacklist
manually for testing.  I found that the latency is too high with this
machine, so we're going to need something with a faster processor that can
support a newer OS..

On Wed, May 2, 2018 at 1:13 PM, David Corsello <
snort-users () wintertreemedia com> wrote:

Much of this is related more to Linux than to Snort, but I'm hoping
someone can offer help.

I purchased a mini PC with decent specs to use as a Snort sensor.  The one
limitation that I missed prior to purchase is that the highest version of
Ubuntu that it supports is 12.04.1.  That OS is now installed.  Snort
2.9.11.1 is installed and running.  Pulledpork fails at the blacklist
download.

Pulledpork.conf contains the following:

rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLACKLIST|
oinkcodexxxxxxxxxxxxxxxxxxxxxx

When run, it gives the following error:

IP Blacklist download of https://talosintelligence.com/
documents/ip-blacklist....
** GET https://talosintelligence.com/documents/ip-blacklist ==> 500 Can't
connect to talosintelligence.com:443
Error downloading https://talosintelligence.com/documents/ip-blacklist:
500 Can't connect to talosintelligence.com:443 [ 500 ]


GET from the command line gives the following error:

root@IPS:~# GET "https://talosintelligence.com/documents/ip-blacklist|
IPBLACKLIST|oinkcodexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Can't connect to talosintelligence.com:443

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown
errorerror:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
protocol version at /usr/share/perl5/LWP/Protocol/http.pm line 51.Unable
to establish SSL connection.


Upgrading openssl to ver. 1.0.2o didn't fix this.  I'm researching if it's
possible to upgrade libwww-perl from ver 6.03 on Ubuntu 12.04.

Any other suggestions?

As a workaround, I tried to download the blacklist to an intermediate,
hosted server, from which I would then have downloaded to the sensor using
pulledpork.  When I ran the GET command on the hosted server, I got the
message:

"The owner of this website (talosintelligence.com) has banned your access
based on your browser's signature (414c086aabdc2312-ua24)."

Does this mean that the oinkcode is now permanently banned from
downloading the blacklist, or was only this access blocked?

Thanks.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Pulledpork error at blacklist download David Corsello (May 02)
- Re: Pulledpork error at blacklist download David Corsello (May 02)
- Re: Pulledpork error at blacklist download Joel Esler (jesler) via Snort-users (May 02)