oinkmaster, wget, and HTTPS download of snort rules

Comments Off on oinkmaster, wget, and HTTPS download of snort rules

oinkmaster started complaining like this the other day:

root@enterprise:~>oinkmaster -Q -b /usr/local/etc/snort/backup -o /usr/local/etc/snort/rules

/usr/local/bin/oinkmaster: Error: could not download from https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gz. Output from wget follows:

 https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gzResolving www.snort.org (www.snort.org)... 50.19.124.119, 54.225.152.149, 54.243.242.66
Connecting to www.snort.org (www.snort.org)|50.19.124.119|:443... connected.
ERROR: cannot verify www.snort.org's certificate, issued by '/C=US/O=Thawte, Inc./CN=Thawte SSL CA':
  Self-signed certificate encountered.
To connect to www.snort.org insecurely, use `--no-check-certificate'.

Oink, oink. Exiting...

Order was restored once again by adding the following line to .wgetrc in roots home directory:

check_certificate = off

This is not the proper way of handling HTTPS security, but it gets the job done. Previously we used HTTP access for downloading our snort rules, and it’s only recently we were redirected to use HTTPS access.

Update 2014-10-22

oinkmaster suddenly felt ill again, exiting with exit status 8:

root@enterprise:~>oinkmaster -b /usr/local/etc/snort/backup -o /usr/local/etc/snort/rules
Loading /usr/local/etc/oinkmaster.conf
Downloading file from https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gz...
/usr/local/bin/oinkmaster: Error: could not download from https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gz. Output from wget follows:

 https://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-2961.tar.gzResolving www.snort.org (www.snort.org)... 50.19.124.119, 54.225.152.149, 54.243.242.66
Connecting to www.snort.org (www.snort.org)|50.19.124.119|:443... connected.
WARNING: cannot verify www.snort.org's certificate, issued by '/C=US/O=Thawte, Inc./CN=Thawte SSL CA':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 422 Unprocessable Entity
2014-10-22 08:42:41 ERROR 422: Unprocessable Entity.


Oink, oink. Exiting...
root@enterprise:~>echo $?
8

This time check_certificate = off won’t help at all. Apparantly, wget does not correctly use the Certificate’s Subject Alternative Names (www.snort.org vs snort.org), according to a comment on http://blog.snort.org/2014/07/snort-2962-is-now-available.html.

I have wget 1.15 and OpenSSL 1.0.1j installed. I just reconfigured wget to link with GnuTLS 3.2.19, recompiled and reinstalled wget, and this is no better combination than linking wget with OpenSSL. :-/

Update 2019-10-05

I’ve succumbed to peer pressure. Here’s a link to a Snort cheat sheet made by Comparitech Limited based in the UK. I am in no way affiliated with nor sponsored by Comparitech Limited.

#notsponsored