search

mateodx / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

Bluecoat Proxy Issue #154

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Using pulledpork through a Bluecoat proxy.

What is the expected output? What do you see instead?
Download of emerging threats files and process.  Instead, I get the following 
message:

Error 500 when fetching 
https://rules.emergingthreatspro.com/open/snort-2.9.5/emerging.rules.tar.gz.md5 
at /usr/bin/pulledpork.pl line 459

Log entry related to traffic: "NULL character found in the request line from 
<IP Address>"

What version of the product are you using? On what operating system?
PulledPork v0.6.1 - Ubuntu

Please provide any additional information below.
Bluecoat KB: 
https://kb.bluecoat.com/index?page=content&id=FAQ954&cat=PRODUCTS&actp=LIST

"These kinds of messages (found NULL characters) are almost invariably caused 
by non-compliant clients of one kind or another, such as viruses, adware, 
spyware, so it is not generally traffic that should be allowed through."

Original issue reported on code.google.com by travisls...@gmail.com on 4 Apr 2014 at 12:39

GoogleCodeExporter commented 8 years ago 
The last post to this Security Onion thread may point to the issue:  
https://groups.google.com/forum/#!topic/security-onion/vJwNsRQtgX4  

Specifically, a change in LWP causes the SSL connection to be a GET request 
instead of a CONNECT.  This is consistent with what I'm seeing as well.

Original comment by mpilk...@gmail.com on 12 May 2014 at 9:02