search

Quantalytics / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

Pulledpork Doing HTTP GET for SSL/TLS Site Instead of HTTP CONNECT - Getting 400 Error on Proxy Connection #174

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Environment/Background

- Redhat Enterprise Linux 7.1 with yum update ran and all updates applied as of 
4-26-2015

- Running Pulledpork 0.7.0 with all needed PAM modules per FAQ (SSLeay, etc. 

FAQ Followed: https://code.google.com/p/pulledpork/wiki/FAQ

- Set proxy in /etc/profile (as I always do) and syntax is exactly as 
prescribed in https://code.google.com/p/pulledpork/wiki/FAQ. Also did export 
after logging back in to ensure proxy variable actually applied to my new 
session. Able to do wget via proxy. 

- Verified pulledpork.conf is calling an HTTPS url (which is default anyway) 
for VRT/Talos rules

What steps will reproduce the problem?
1. ./pulledpork.pl -c /etc/snort/pulledpork.conf

What is the expected output? What do you see instead?
- I expect it to download tgz after verifying MD5 hash like 0.6.1 did
- However, I get the following message below:

Checking latest MD5 for snortrules-snapshot-2972.tar.gz....
Error 400 when fetching 
https://www.snort.org/reg-rules/snortrules-snapshot-2972.tar.gz.md5 at 
./pulledpork.pl line 463.        main::md5file('R-E-M-O-V-E-D', 
'snortrules-snapshot-2972.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') 
called at ./pulledpork.pl line 1847

Please provide any additional information below.

- Fact 1: My proxy log shows that instead of doing an HTTP CONNECT method for 
the HTTPS connection, pulledpork is doing an HTTP GET instead. Therefore, my 
proxy is giving back the 400 message to the client (bad request).

"[26/Apr/2015:22:45:48 +0800]" 400 1420 TCP_NC_MISS 237 1311 11.22.33.44 38875 
"PROXY1" 80 104.20.17.171 443 https GET www.snort.org 
/reg-rules/snortrules-snapshot-2972.tar.gz.md5/R-E-M-O-V-E-D - 
"Technology/Internet" - "PulledPork v0.7.0 - Swine Flu!"

Therefore:

How can I get pulledpork to do a standard HTTP CONNECT method for SSL/TLS 
content vs. the HTTP GET which is incorrect for SSL/TLS content via an explicit 
proxy? 

This worked just fine in 0.6.1 but setting up a new IDS box and went with the 
latest version.

Also, THANK YOU for giving your time on this project. VERY happy to have this 
tool but just need to get it to work again on new version.

Original issue reported on code.google.com by davesp...@gmail.com on 26 Apr 2015 at 2:54