Snort mailing list archives
Re: Get Invalid Configuration in blacklist.rules when restart Snort
From: Jutichai Thongkrachai <thsecmaniac () gmail com>
Date: Mon, 6 Oct 2014 20:18:26 +0700
To Joel, Here you are: *# Path to your rules files (this can be a relative path)# Note for Windows users: You are advised to make this an absolute path,# such as: c:\snort\rulesvar RULE_PATH /etc/snort/rulesvar SO_RULE_PATH /etc/snort/so_rulesvar PREPROC_RULE_PATH /etc/snort/preproc_rules# If you are using reputation preprocessor set thesevar WHITE_LIST_PATH /etc/snort/rulesvar BLACK_LIST_PATH /etc/snort/rules# Reputation preprocessor. For more information see README.reputationpreprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules # site specific rulesinclude $RULE_PATH/local.rulesinclude $RULE_PATH/app-detect.rulesinclude $RULE_PATH/attack-responses.rulesinclude $RULE_PATH/backdoor.rulesinclude $RULE_PATH/bad-traffic.rulesinclude $RULE_PATH/blacklist.rules* 2014-10-06 19:56 GMT+07:00 Joel Esler (jesler) <jesler () cisco com>:
On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsecmaniac () gmail com> wrote: Hello, Before I have a problem, I installed pulledpork for getting the latest rule from snort. After that I restart snort but get this error: Oct 06 12:25:55 snort[25714]: Detection: Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20 Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 1.122.106.236 Oct 06 12:25:55 snort[25709]: [33B blob data] Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1 Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon. but in the blacklist.rules, there are just ip address per line only <trim digest> Looks like you aren’t loading the blacklist as a blacklist inside the preprocessor. It appears Snort is trying to load the Blacklist as a configuration option or something. Can you attach your snort.conf? -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Talos
------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 05)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Stephen Gantz (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Stephen Gantz (Oct 06)
- <Possible follow-ups>
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 07)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)