Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 20 Dec 2014 23:09:57 -0500
On 12/20/2014 10:18 PM, RŌNIN wrote:

Hi to everyone:

Checking my snort.conf file, I found this:

[root@snortest ~]# grep -ir "black" /etc/snort/snort.conf
#var BLACK_LIST_PATH ../rules
var BLACK_LIST_PATH /etc/snort/rules
   blacklist $BLACK_LIST_PATH/black_list.rules


note the above!


include $RULE_PATH/blacklist.rules
[root@snortest ~]#

And checking my pulledpork.conf file, I found this:

root@snortest ~]# grep -ir "black" /etc/snort/pulledpork.conf
# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
# This format MUST be followed to let pulledpork know that this is a blacklist
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
# want to tell pulledpork where your blacklist file lives, PP automagically will
black_list=/etc/snort/rules/blacklist.rules


right there is the problem... if i'm reading the excerpts correctly, this should 
be black_list.rules...

FWIW: this type of confusion due to the names being too similar is why i 
advocated a while back that the reputation black list (and white list) names be 
very distinctive... they are still (IMHO) much too close... at that time, i 
advocated that the reputation processor files be named something more indicative 
of their use... rep_black.lst rep_white.lst or something similar... the main 
part being the inclusion of "rep" or even "rpp" for reputation pre-processor and 
possibly even .lst for list since they are just a list of IPs and not rules as 
seen in the textual rules files...


-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: