Snort mailing list archives
Re: IP REP / Pulled Pork / Snort Difficulties
From: Y M <snort () outlook com>
Date: Thu, 6 Mar 2014 17:00:43 +0000
Hi Bradley; What I have noticed is that the ability to process IP lists "offline"/locally as PulledPork would with rulesets dose not seem to be implemented. If it is, then both of us are making the same mistake :). What I do is that I run PulledPork twice, once against the configs to process rulesets locally, and the second time against configs to only fetch the IP list and process it. YM
From: bturnbough () belcan com To: snort-users () lists sourceforge net Date: Thu, 6 Mar 2014 16:44:39 +0000 Subject: [Snort-users] IP REP / Pulled Pork / Snort Difficulties Good Morning, I'm having some difficulties getting the ip reputation piece up and working the way that I want it. Can someone please correct me where I am wrong? PulledPork 0.7.0 Snort 2.9.5.5 PulledPork configuration: rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open<http://labs.snort.org/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen> black_list=/etc/snort/rules/black_list-p2p1.rules IPRVersion=/etc/snort/rules/ Snort configuration: var WHITE_LIST_PATH rules var BLACK_LIST_PATH rules preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ # whitelist $WHITE_LIST_PATH/white_list-p2p1.rules, \ blacklist $BLACK_LIST_PATH/black_list-p2p1.rules I have a cron script that downloads the ip list every night at a predetermined time: wget -v http://labs.snort.org/feeds/ip-filter.blf -O /opt/pulledpork/tmp/sigs/IPBLACKLIST The machine has multiple interfaces, so I only want to download the file once and then process from that downloaded copy for all interfaces. Pulled pork is run with the '-P' so that rules are processed even though they weren't downloaded and '-n' "do everything other than download of new files (disablesid, etc). So, the steps would be: 1) download file and place it in /opt/pulledpork/tmp/sigs/IPBLACKLIST 2) run pulledpork and process the rules / ip lists. 3) PP then generates a ipblacklist file called 'black_list-p2p1.rules' and places it in /etc/snort/rules/black_list-p2p1.rules Everything except for this ip reputation is working properly, and has been working properly for some time. Does anyone have a clue why this isn't working? Thanks, Brad _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- IP REP / Pulled Pork / Snort Difficulties Turnbough, Bradley E. (Mar 06)
- Re: IP REP / Pulled Pork / Snort Difficulties Y M (Mar 06)
- Re: IP REP / Pulled Pork / Snort Difficulties Anshuman Anil Deshmukh (Mar 07)
- Re: IP REP / Pulled Pork / Snort Difficulties Y M (Mar 07)
- Re: IP REP / Pulled Pork / Snort Difficulties Turnbough, Bradley E. (Mar 10)
- Re: IP REP / Pulled Pork / Snort Difficulties Joel Esler (jesler) (Mar 10)
- Re: IP REP / Pulled Pork / Snort Difficulties Anshuman Anil Deshmukh (Mar 07)
- Re: IP REP / Pulled Pork / Snort Difficulties Y M (Mar 06)