Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Issue related to Blacklists [SOLVED]

From: Anshuman Anil Deshmukh <anshuman () cybage com>
Date: Thu, 17 Oct 2013 17:35:59 +0000
Hi Russ,



Thanks for the directions. Your inputs helped me to resolve the issue.



Here is what I am able to see after I made changes suggested by you.



(obtained using snort command with switch -T)

Reputation config:

    Processing blacklist file /etc/snort/rules/default.blacklist

    Reputation entries loaded: 2991, invalid: 0, re-defined: 0 (from file /etc/snort/rules/default.blacklist)

    Reputation total memory usage: 4846144 bytes

    Reputation total entries loaded: 2991, invalid: 0, re-defined: 0

    Memcap: 500 (Default) M bytes

    Scan local network: DISABLED (Default)

    Reputation priority:  whitelist(Default)

    Nested IP: inner (Default)

    White action: unblack (Default)

    Shared memory is Not supported.



@Joel,

I will put each IP subnet in individual line the way it was configured previously and then see if I encounter any 
error, will definitely update this mail thread.



Thanks again Russ and Joel. Appreciate your timely help and guidance.



Anshuman



From: Russ Combs [mailto:rcombs () sourcefire com]
Sent: Thursday, October 17, 2013 7:35 PM
To: Anshuman Anil Deshmukh
Cc: Joel Esler; Snort Users
Subject: Re: [Snort-users] Issue related to Blacklists



Your config is borked.  The output shows:

...

Reputation config:

    Processing blacklist file /etc/snort/rules/snort.rules

      (7) => Invalid address: 'alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL ACTIVEX WEB-CLIENT 
tsuserex.dll COM Object Instantiation Vulnerability"; flow:from_server,established; file_data; 
content:"E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29"; nocase; distance:0; 
reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14<http://www.xsec.org/index.php?module=Releases&act=view&type=1&id=14>;
 classtype:web-application-attack; sid:100000864; rev:7;)'
...

You have snort.rules as a blacklist file.  snort.rules should be included directly in your snort.conf like:

include /etc/snort/rules/snort.rules

And your blacklist file should be some other file with a list of IPs.  See 
http://manual.snort.org/node17.html#SECTION003219000000000000000 for more info.





On Thu, Oct 17, 2013 at 2:48 AM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:

Hi Joel,

Even after putting everything in one line, I am still getting the said errors.

Here is my snort output after making the changes - http://pastebin.com/94yGMJ9v

Thanks and Regards,
Anshuman



-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com<mailto:jesler () sourcefire com>]

Sent: Wednesday, October 16, 2013 10:32 PM
To: Anshuman Anil Deshmukh
Cc: Snort Users
Subject: Re: [Snort-users] Issue related to Blacklists

Did you try and do it the way I told you first, let's do the troubleshooting before we start trying to solve a problem.

On Wed, Oct 16, 2013 at 7:08 AM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:

Hi Joel,



Is it fine if I if put "ipvar HOME_NET" for each line; as there is a
reason for it. Basically it would help to audit the list of VLAN's
effectively and also appear in readable format. At times we have new
VLAN's created/removed frequently and hence don't want accidently to
miss any VLAN which I feel may happen if all appear in one line.





Thanks and Regards,

Anshuman



From: Joel Esler [mailto:jesler () sourcefire com<mailto:jesler () sourcefire com>]
Sent: Tuesday, October 15, 2013 7:34 PM
To: Anshuman Anil Deshmukh
Cc: Snort Users
Subject: Re: [Snort-users] Issue related to Blacklists



On Oct 15, 2013, at 1:14 AM, Anshuman Anil Deshmukh
<anshuman () cybage com<mailto:anshuman () cybage com>>
wrote:



ipvar HOME_NET [172.27.3.0/24,\<http://172.27.3.0/24,/>

172.27.6.0/24,\<http://172.27.6.0/24,/>

172.27.7.0/24,\<http://172.27.7.0/24,/>

172.27.8.0/24,\<http://172.27.8.0/24,/>



Try putting your HOME_NET all in one line instead of trying to do line
continuation.



--
Joel Esler
AEGIS Intelligence Lead
OpenSource Community Manager
Vulnerability Research Team, Sourcefire


"Legal Disclaimer: This electronic message and all contents contain
information from Cybage Software Private Limited which may be
privileged, confidential, or otherwise protected from disclosure. The
information is intended to be for the addressee(s) only. If you are
not an addressee, any disclosure, copy, distribution, or use of the
contents of this message is strictly prohibited. If you have received
this electronic message in error please notify the sender by reply
e-mail to and destroy the original message and all copies. Cybage has
taken every reasonable precaution to minimize the risk of malicious
content in the mail, but is not liable for any damage you may sustain
as a result of any malicious content in this e-mail. You should carry
out your own malicious content checks before opening the e-mail or
attachment." www.cybage.com<http://www.cybage.com>




--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment."
www.cybage.com<http://www.cybage.com>



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!





"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." 
www.cybage.com


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: