Snort mailing list archives
Re: Get Invalid Configuration in blacklist.rules when restart Snort
From: Jutichai Thongkrachai <thsecmaniac () gmail com>
Date: Wed, 8 Oct 2014 10:23:40 +0700
To Dr. Stephen, I corrected my pulledpork.pl and try to run this script again including restart snort again. There is no invalid configuration again. Thank you so much! 2014-10-06 21:27 GMT+07:00 <snort-users-request () lists sourceforge net>:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: 93.184.215.200 black listed IP address (Joel Esler (jesler)) 2. Re: Get Invalid Configuration in blacklist.rules when restart Snort (Joel Esler (jesler)) ---------- จดหมายที่ถูกส่งต่อ ---------- From: "Joel Esler (jesler)" <jesler () cisco com> To: Ceejay Cervantes <ceejay.cervantes () gmail com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netDate: Mon, 6 Oct 2014 14:22:24 +0000 Subject: Re: [Snort-users] 93.184.215.200 black listed IP address We have it listed as an “Attacker” from an outside source. It’s a private IP out registered through RIPE’s server. Allegedly registered to a private address in Santa Monica, CA. Don’t think that’s Microsoft. -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Talos On Oct 6, 2014, at 10:07 AM, Ceejay Cervantes <ceejay.cervantes () gmail com> wrote: Hello, Good day. Any idea on why the 93.184.215.200 IP address was included on the black_list.rules? It seems to be a false positive. Am seeing microsoft.com domains on tcpdump. regards, Ceejay ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ---------- จดหมายที่ถูกส่งต่อ ---------- From: "Joel Esler (jesler)" <jesler () cisco com> To: Stephen Gantz <stephen.gantz () faculty umuc edu> Cc: Jutichai Thongkrachai <thsecmaniac () gmail com>, " snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Date: Mon, 6 Oct 2014 14:26:55 +0000 Subject: Re: [Snort-users] Get Invalid Configuration in blacklist.rules when restart Snort Good call Stephen… I’m sure I have the power to fix this issue… J On Oct 6, 2014, at 10:21 AM, Stephen Gantz <stephen.gantz () faculty umuc edu> wrote: Don't confuse blacklist.rules (one of the VRT rules files) with the blacklist of IP addresses referenced in your reputation preprocessor. It looks like you may have edited blacklist.rules instead of the black_list.rules file referenced by default by the preprocessor in snort.conf. Bear in mind that black_list.rules does not exist when you install Snort - your have to create it (and the white_list.rules file too if you are using a whitelist). I tell my students to choose a different name for the blacklist file (the one with the IP addresses) to try to avoid exactly this confusion. Dr. Stephen D. Gantz CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO Professor of Information Assurance The Graduate School University of Maryland University College stephen.gantz () faculty umuc edu On Oct 6, 2014, at 8:56 AM, "Joel Esler (jesler)" <jesler () cisco com> wrote: On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsecmaniac () gmail com> wrote: Hello, Before I have a problem, I installed pulledpork for getting the latest rule from snort. After that I restart snort but get this error: Oct 06 12:25:55 snort[25714]: Detection: Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20 Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 1.122.106.236 Oct 06 12:25:55 snort[25709]: [33B blob data] Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1 Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon. but in the blacklist.rules, there are just ip address per line only <trim digest> Looks like you aren’t loading the blacklist as a blacklist inside the preprocessor. It appears Snort is trying to load the Blacklist as a configuration option or something. Can you attach your snort.conf? -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Talos ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 05)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Stephen Gantz (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Stephen Gantz (Oct 06)
- <Possible follow-ups>
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 07)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)