Re: Snort IP blacklist issue (Pulledprok)

["Nicolas Lepolard" <Nicolas.Lepolard () ejco com>]

Yes all it's good for me. But I have the same issue...





Another idea ?

Nicolas



De :    Shirkdog <shirkdog () gmail com>
A :     Nicolas Lepolard <Nicolas.Lepolard () ejco com>
Cc :    snort-users mailinglist <snort-users () lists sourceforge net>
Date :  04/02/2016 13:26
Objet : Re: [Snort-users] Snort IP blacklist issue (Pulledprok)



Does /etc/snort/rules/iplists exist?
Try this and post your results running pulledpork:
mkdir -p /etc/snort/rules/iplists
touch /etc/snort/rules/iplists/black_list.rules
On Feb 4, 2016 4:40 AM, "Nicolas Lepolard" <Nicolas.Lepolard () ejco com> 
wrote:
Hi,

Thank you for your reply !

I have checked and I think my config is OK. Here, are the variables that I 
have modified in my pulledpork.conf file : 

Line19        rule_url=
https://www.snort.org/reg_rules/|snortrules-snapshot.tar.gz|<my oinkcode>
Line 26        rule_url=https://www.snort.org/reg-rules/|opensource.gz|<my 
oinkcode>
Line 61        temp_path=/opt/snort/tmp (I have changed  the path cause it 
didn't worked with /tmp, the permissions are OK)
Line 74        rule_path=/etc/snort/rules/snort.rules
Line 89        local_rules=/etc/snort/rules/local.rules
Line 92        sid_msg=/etc/snort/sid-msg.map
Line 96        sid_msg_version=2
Line 119        config_path=/etc/snort/snort.conf
Line 133        distro=Debian-6.0
Line 141         black_list=/etc/snort/rules/iplists/black_list.rules
Line 150        IPRVersion=/etc/snort/rules/iplists

Thank for your help.

Best regards

Nicolas



De :        Shirkdog <shirkdog () gmail com>
A :        Nicolas Lepolard <Nicolas.Lepolard () ejco com>
Cc :        snort-users mailinglist <snort-users () lists sourceforge net>
Date :        03/02/2016 18:40
Objet :        Re: [Snort-users] Snort IP blacklist issue (Pulledprok)



Make sure the file specified in pulledpork.conf actually exists.
Check the black_list variable in your config.
On Feb 3, 2016 11:53 AM, "Nicolas Lepolard" <Nicolas.Lepolard () ejco com> 
wrote:
Hi guys,
I have an issue with my PulledPork's installation ! 
When i try this command, i've got this error message : 
sudo /usr/local/bin/pulledpork.pl-c /etc/snort/pulledpork.conf -l

(...)
Checking latest MD5 for snortrules-snapshot-2980.tar.gz....
They Match
Done!
Rules tarball download of community-rules.tar.gz....
IP Blacklist download of http://talosintel.com/feeds/ip-filter.blf....
Reading IP List...
Couldn't read /opt/snort/tmp/648.041857729794-black_list.rules - Aucun 
fichier ou dossier de ce type
 at /usr/local/bin/pulledpork.pl line 540.
main::read_iplist(HASH(0x2a281f8), 
"/opt/snort/tmp/648.041857729794-black_list.rules") called at 
/usr/local/bin/pulledpork.pl line 431
main::rulefetch("open", "IPBLACKLIST0", "/opt/snort/tmp/", "
http://talosintel.com/feeds/ip-filter.blf";) called at /usr/local/bin/
pulledpork.pl line 1946

I've seen other posts about this problem but i didn't find solution ! 

Can you help me please ? 

Snort : 2.9.8.0
PulledPorks : 0.7.2

Best regards

Nicolas

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.orgto stay current on all the latest Snort 
news!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.orgto stay current on all the latest Snort 
news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!