Snort mailing list archives
Re: Get Invalid Configuration in blacklist.rules when restart Snort
From: Stephen Gantz <stephen.gantz () faculty umuc edu>
Date: Mon, 6 Oct 2014 10:21:27 -0400
Don't confuse blacklist.rules (one of the VRT rules files) with the blacklist of IP addresses referenced in your reputation preprocessor. It looks like you may have edited blacklist.rules instead of the black_list.rules file referenced by default by the preprocessor in snort.conf. Bear in mind that black_list.rules does not exist when you install Snort - your have to create it (and the white_list.rules file too if you are using a whitelist). I tell my students to choose a different name for the blacklist file (the one with the IP addresses) to try to avoid exactly this confusion. Dr. Stephen D. Gantz CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO Professor of Information Assurance The Graduate School University of Maryland University College stephen.gantz () faculty umuc edu
On Oct 6, 2014, at 8:56 AM, "Joel Esler (jesler)" <jesler () cisco com> wrote:On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsecmaniac () gmail com> wrote: Hello, Before I have a problem, I installed pulledpork for getting the latest rule from snort. After that I restart snort but get this error: Oct 06 12:25:55 snort[25714]: Detection: Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20 Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 1.122.106.236 Oct 06 12:25:55 snort[25709]: [33B blob data] Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1 Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon. but in the blacklist.rules, there are just ip address per line only<trim digest> Looks like you aren’t loading the blacklist as a blacklist inside the preprocessor. It appears Snort is trying to load the Blacklist as a configuration option or something. Can you attach your snort.conf? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 05)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Stephen Gantz (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Stephen Gantz (Oct 06)
- <Possible follow-ups>
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 07)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)