Snort mailing list archives
Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line
From: RŌNIN <correo.cuervo () gmail com>
Date: Sat, 20 Dec 2014 22:18:48 -0500
Hi to everyone: Checking my snort.conf file, I found this: [root@snortest ~]# grep -ir "black" /etc/snort/snort.conf #var BLACK_LIST_PATH ../rules var BLACK_LIST_PATH /etc/snort/rules blacklist $BLACK_LIST_PATH/black_list.rules include $RULE_PATH/blacklist.rules [root@snortest ~]# And checking my pulledpork.conf file, I found this: root@snortest ~]# grep -ir "black" /etc/snort/pulledpork.conf # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode> # This format MUST be followed to let pulledpork know that this is a blacklist rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open # want to tell pulledpork where your blacklist file lives, PP automagically will black_list=/etc/snort/rules/blacklist.rules # This should be the same path where your black_list lives! [root@snortest ~]# Checking the files: [root@snortest ~]# file /etc/snort/rules/black_list.rules /etc/snort/rules/black_list.rules: empty [root@snortest ~]# file /etc/snort/rules/blacklist.rules /etc/snort/rules/blacklist.rules: ASCII text [root@snortest ~]# Messages from console: [root@snortest ~]# pulledpork.pl -vv -c /etc/snort/pulledpork.conf -T -l http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.0 - Swine Flu! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Config File Variable Debug /etc/snort/pulledpork.conf snort_path = /usr/bin/snort enablesid = /etc/snort/enablesid.conf black_list = /etc/snort/rules/blacklist.rules modifysid = /etc/snort/modifysid.conf IPRVersion = /etc/snort/rules/iplists rule_path = /etc/snort/rules/snort.rules ignore = deleted.rules,experimental.rules,local.rules snort_control = /usr/bin/snort_control rule_url = ARRAY(0x21c5cc0) sid_msg_version = 1 sid_changelog = /var/log/sid_changes.log sid_msg = /etc/snort/rules/community-rules/sid-msg.map config_path = /etc/snort/snort.conf temp_path = /tmp distro = RHEL-6-0 version = 0.7.0 sorule_path = /usr/local/lib/snort_dynamicrules/ disablesid = /etc/snort/disablesid.conf dropsid = /etc/snort/dropsid.conf out_path = /etc/snort/rules/ local_rules = /etc/snort/rules/local.rules MISC (CLI and Autovar) Variable Debug: arch Def is: x86-64 Config Path is: /etc/snort/pulledpork.conf Distro Def is: RHEL-6-0 Disabled policy specified local.rules path is: /etc/snort/rules/local.rules Rules file is: /etc/snort/rules/snort.rules Path to disablesid file: /etc/snort/disablesid.conf Path to dropsid file: /etc/snort/dropsid.conf Path to enablesid file: /etc/snort/enablesid.conf Path to modifysid file: /etc/snort/modifysid.conf sid changes will be logged to: /var/log/sid_changes.log sid-msg.map Output Path is: /etc/snort/rules/community-rules/sid-msg.map Snort Config File: /etc/snort/snort.conf Snort Path is: /usr/bin/snort Logging Flag is Set Text Rules only Flag is Set Extra Verbose Flag is Set Verbose Flag is Set Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot-2970.tar.gz|{my_oink_code} https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open https://www.snort.org/reg-rules/|opensource.gz|{my_oink_code} Checking latest MD5 for snortrules-snapshot-2970.tar.gz.... Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5 ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/{my_oink_code} ==> SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A 200 OK (1s) most recent rules file digest: 0db1354779ee27b47ea3dbb7134166e4 current local rules file digest: 0db1354779ee27b47ea3dbb7134166e4 The MD5 for snortrules-snapshot-2970.tar.gz matched 0db1354779ee27b47ea3dbb7134166e4 Checking latest MD5 for community-rules.tar.gz.... Fetching md5sum for: community-rules.tar.gz.md5 ** GET https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5 ==> SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A 200 OK (31s) most recent rules file digest: 89a79ead3145c225a3d85719d7e92629 current local rules file digest: a7a28cdd2326e06621241c863b40dd5d The MD5 for community-rules.tar.gz did not match the latest digest... so I am gonna fetch the latest rules file! Rules tarball download of community-rules.tar.gz.... Fetching rules file: community-rules.tar.gz ** GET https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz ==> SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A 200 OK (3s) storing file at: /tmp/community-rules.tar.gz current local rules file digest: 89a79ead3145c225a3d85719d7e92629 The MD5 for community-rules.tar.gz matched 89a79ead3145c225a3d85719d7e92629 IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf.... ** GET http://labs.snort.org/feeds/ip-filter.blf ==> 200 OK (1s) Reading IP List... Checking latest MD5 for opensource.gz.... Fetching md5sum for: opensource.gz.md5 ** GET https://www.snort.org/reg-rules/opensource.gz.md5/{my_oink_code} ==> SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A 200 OK most recent rules file digest: 489712cc1f594ad03958473e8a4c00d0 current local rules file digest: 489712cc1f594ad03958473e8a4c00d0 The MD5 for opensource.gz matched 489712cc1f594ad03958473e8a4c00d0 Prepping rules from opensource.gz for work.... extracting contents of /tmp/opensource.gz... Ignoring plaintext rules: deleted.rules Ignoring plaintext rules: experimental.rules Ignoring plaintext rules: local.rules Prepping rules from community-rules.tar.gz for work.... extracting contents of /tmp/community-rules.tar.gz... Ignoring plaintext rules: deleted.rules Ignoring plaintext rules: experimental.rules Ignoring plaintext rules: local.rules Extracted: /tha_rules/Snort-Community-community.rules Prepping rules from snortrules-snapshot-2970.tar.gz for work.... extracting contents of /tmp/snortrules-snapshot-2970.tar.gz... Ignoring plaintext rules: deleted.rules Ignoring plaintext rules: experimental.rules Ignoring plaintext rules: local.rules Extracted: /tha_rules/VRT-indicator-compromise.rules Extracted: /tha_rules/VRT-file-executable.rules Extracted: /tha_rules/VRT-protocol-dns.rules Extracted: /tha_rules/VRT-shellcode.rules Extracted: /tha_rules/VRT-browser-chrome.rules Extracted: /tha_rules/VRT-icmp-info.rules Extracted: /tha_rules/VRT-os-solaris.rules Extracted: /tha_rules/VRT-server-oracle.rules Extracted: /tha_rules/VRT-multimedia.rules Extracted: /tha_rules/VRT-server-other.rules Extracted: /tha_rules/VRT-pua-adware.rules Extracted: /tha_rules/VRT-browser-ie.rules Extracted: /tha_rules/VRT-protocol-voip.rules Extracted: /tha_rules/VRT-protocol-ftp.rules Extracted: /tha_rules/VRT-blacklist.rules Extracted: /tha_rules/VRT-browser-firefox.rules Extracted: /tha_rules/VRT-web-client.rules Extracted: /tha_rules/VRT-specific-threats.rules Extracted: /tha_rules/VRT-web-misc.rules Extracted: /tha_rules/VRT-web-php.rules Extracted: /tha_rules/VRT-web-frontpage.rules Extracted: /tha_rules/VRT-browser-plugins.rules Extracted: /tha_rules/VRT-protocol-rpc.rules Extracted: /tha_rules/VRT-icmp.rules Extracted: /tha_rules/VRT-exploit.rules Extracted: /tha_rules/VRT-file-other.rules Extracted: /tha_rules/VRT-dns.rules Extracted: /tha_rules/VRT-file-image.rules Extracted: /tha_rules/VRT-protocol-icmp.rules Extracted: /tha_rules/VRT-p2p.rules Extracted: /tha_rules/VRT-malware-other.rules Extracted: /tha_rules/VRT-decoder.rules Extracted: /tha_rules/VRT-nntp.rules Extracted: /tha_rules/VRT-protocol-other.rules Extracted: /tha_rules/VRT-pua-toolbars.rules Extracted: /tha_rules/VRT-malware-cnc.rules Extracted: /tha_rules/VRT-attack-responses.rules Extracted: /tha_rules/VRT-server-mssql.rules Extracted: /tha_rules/VRT-info.rules Extracted: /tha_rules/VRT-sensitive-data.rules Extracted: /tha_rules/VRT-exploit-kit.rules Extracted: /tha_rules/VRT-dos.rules Extracted: /tha_rules/VRT-protocol-telnet.rules Extracted: /tha_rules/VRT-browser-other.rules Extracted: /tha_rules/VRT-malware-tools.rules Extracted: /tha_rules/VRT-file-flash.rules Extracted: /tha_rules/VRT-policy-multimedia.rules Extracted: /tha_rules/VRT-malware-backdoor.rules Extracted: /tha_rules/VRT-protocol-snmp.rules Extracted: /tha_rules/VRT-tftp.rules Extracted: /tha_rules/VRT-web-activex.rules Extracted: /tha_rules/VRT-pop3.rules Extracted: /tha_rules/VRT-server-webapp.rules Extracted: /tha_rules/VRT-server-mail.rules Extracted: /tha_rules/VRT-indicator-shellcode.rules Extracted: /tha_rules/VRT-protocol-services.rules Extracted: /tha_rules/VRT-server-mysql.rules Extracted: /tha_rules/VRT-browser-webkit.rules Extracted: /tha_rules/VRT-rpc.rules Extracted: /tha_rules/VRT-policy-social.rules Extracted: /tha_rules/VRT-spyware-put.rules Extracted: /tha_rules/VRT-os-windows.rules Extracted: /tha_rules/VRT-rservices.rules Extracted: /tha_rules/VRT-imap.rules Extracted: /tha_rules/VRT-finger.rules Extracted: /tha_rules/VRT-content-replace.rules Extracted: /tha_rules/VRT-os-mobile.rules Extracted: /tha_rules/VRT-sql.rules Extracted: /tha_rules/VRT-mysql.rules Extracted: /tha_rules/VRT-indicator-obfuscation.rules Extracted: /tha_rules/VRT-web-attacks.rules Extracted: /tha_rules/VRT-app-detect.rules Extracted: /tha_rules/VRT-bad-traffic.rules Extracted: /tha_rules/VRT-snmp.rules Extracted: /tha_rules/VRT-pua-p2p.rules Extracted: /tha_rules/VRT-backdoor.rules Extracted: /tha_rules/VRT-protocol-nntp.rules Extracted: /tha_rules/VRT-pua-other.rules Extracted: /tha_rules/VRT-smtp.rules Extracted: /tha_rules/VRT-protocol-imap.rules Extracted: /tha_rules/VRT-ddos.rules Extracted: /tha_rules/VRT-os-linux.rules Extracted: /tha_rules/VRT-policy.rules Extracted: /tha_rules/VRT-protocol-tftp.rules Extracted: /tha_rules/VRT-web-coldfusion.rules Extracted: /tha_rules/VRT-file-java.rules Extracted: /tha_rules/VRT-preprocessor.rules Extracted: /tha_rules/VRT-protocol-finger.rules Extracted: /tha_rules/VRT-file-office.rules Extracted: /tha_rules/VRT-ftp.rules Extracted: /tha_rules/VRT-netbios.rules Extracted: /tha_rules/VRT-protocol-pop.rules Extracted: /tha_rules/VRT-misc.rules Extracted: /tha_rules/VRT-file-pdf.rules Extracted: /tha_rules/VRT-policy-other.rules Extracted: /tha_rules/VRT-other-ids.rules Extracted: /tha_rules/VRT-telnet.rules Extracted: /tha_rules/VRT-oracle.rules Extracted: /tha_rules/VRT-pop2.rules Extracted: /tha_rules/VRT-os-other.rules Extracted: /tha_rules/VRT-chat.rules Extracted: /tha_rules/VRT-botnet-cnc.rules Extracted: /tha_rules/VRT-virus.rules Extracted: /tha_rules/VRT-voip.rules Extracted: /tha_rules/VRT-server-apache.rules Extracted: /tha_rules/VRT-x11.rules Extracted: /tha_rules/VRT-file-identify.rules Extracted: /tha_rules/VRT-protocol-scada.rules Extracted: /tha_rules/VRT-policy-spam.rules Extracted: /tha_rules/VRT-scan.rules Extracted: /tha_rules/VRT-web-cgi.rules Extracted: /tha_rules/VRT-server-samba.rules Extracted: /tha_rules/VRT-scada.rules Extracted: /tha_rules/VRT-indicator-scan.rules Extracted: /tha_rules/VRT-file-multimedia.rules Extracted: /tha_rules/VRT-web-iis.rules Extracted: /tha_rules/VRT-phishing-spam.rules Extracted: /tha_rules/VRT-server-iis.rules Reading rules... Reading rules... Cleanup.... removed 121 temporary snort files or directories from /tmp/tha_rules! Writing Blacklist File /etc/snort/rules/blacklist.rules.... Writing Blacklist Version 845308515 to /etc/snort/rules/iplistsIPRVersion.dat.... Modifying Sids.... Done! Processing /etc/snort/enablesid.conf.... Modified 0 rules Done Processing /etc/snort/dropsid.conf.... Modified 0 rules Done Processing /etc/snort/disablesid.conf.... Modified 0 rules Done Setting Flowbit State.... Enabled 23 flowbits Done Writing /etc/snort/rules/snort.rules.... Done Generating sid-msg.map.... Done Writing v1 /etc/snort/rules/community-rules/sid-msg.map.... Done Writing /var/log/sid_changes.log.... Done Rule Stats... New:-------46 Deleted:---16 Enabled Rules:----6302 Dropped Rules:----0 Disabled Rules:---16530 Total Rules:------22832 IP Blacklist Stats... Total IPs:-----13809 Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! [root@snortest ~]# service snortd start Starting snort: [FAILED] [root@snortest ~]# tail -f /var/log/messages Dec 20 21:58:22 centos6 snort[1304]: Dec 20 21:58:22 centos6 snort[1304]: PortVar 'GTP_PORTS' defined : Dec 20 21:58:22 centos6 snort[1304]: [ 2123 2152 3386 ] Dec 20 21:58:22 centos6 snort[1304]: Dec 20 21:58:22 centos6 snort[1304]: Detection: Dec 20 21:58:22 centos6 snort[1304]: Search-Method = AC-Full-Q Dec 20 21:58:22 centos6 snort[1304]: Split Any/Any group = enabled Dec 20 21:58:22 centos6 snort[1304]: Search-Method-Optimizations = enabled Dec 20 21:58:22 centos6 snort[1304]: Maximum pattern length = 20 Dec 20 21:58:22 centos6 snort[1304]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 1.120.215.97#012 What's wrong here? Thanks by your help. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line RŌNIN (Dec 19)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line Jeremy Hoel (Dec 19)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line waldo kitty (Dec 20)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line RŌNIN (Dec 20)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line waldo kitty (Dec 20)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line RŌNIN (Dec 21)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line RŌNIN (Dec 20)