Snort mailing list archives
Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 20 Dec 2014 23:09:57 -0500
On 12/20/2014 10:18 PM, RŌNIN wrote:
Hi to everyone: Checking my snort.conf file, I found this: [root@snortest ~]# grep -ir "black" /etc/snort/snort.conf #var BLACK_LIST_PATH ../rules var BLACK_LIST_PATH /etc/snort/rules blacklist $BLACK_LIST_PATH/black_list.rules
note the above!
include $RULE_PATH/blacklist.rules [root@snortest ~]# And checking my pulledpork.conf file, I found this: root@snortest ~]# grep -ir "black" /etc/snort/pulledpork.conf # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode> # This format MUST be followed to let pulledpork know that this is a blacklist rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open # want to tell pulledpork where your blacklist file lives, PP automagically will black_list=/etc/snort/rules/blacklist.rules
right there is the problem... if i'm reading the excerpts correctly, this should be black_list.rules... FWIW: this type of confusion due to the names being too similar is why i advocated a while back that the reputation black list (and white list) names be very distinctive... they are still (IMHO) much too close... at that time, i advocated that the reputation processor files be named something more indicative of their use... rep_black.lst rep_white.lst or something similar... the main part being the inclusion of "rep" or even "rpp" for reputation pre-processor and possibly even .lst for list since they are just a list of IPs and not rules as seen in the textual rules files... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line RŌNIN (Dec 19)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line Jeremy Hoel (Dec 19)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line waldo kitty (Dec 20)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line RŌNIN (Dec 20)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line waldo kitty (Dec 20)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line RŌNIN (Dec 21)
- Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line RŌNIN (Dec 20)