Re: Get Invalid Configuration in blacklist.rules when restart Snort

["Joel Esler (jesler)" <jesler () cisco com>]

> On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsecmaniac () gmail com> wrote:
>
> Hello,
>
> Before I have a problem, I installed pulledpork for getting the latest rule from snort.
>
> After that I restart snort but get this error:
>
> Oct 06 12:25:55 snort[25714]: Detection:
> Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q
> Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled
> Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled
> Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20
> Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 
> 1.122.106.236
> Oct 06 12:25:55 snort[25709]: [33B blob data]
> Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1
> Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon.
>
>
> but in the blacklist.rules, there are just ip address per line only
<trim digest>

Looks like you aren’t loading the blacklist as a blacklist inside the preprocessor.  It appears Snort is trying to load 
the Blacklist as a configuration option or something.

Can you attach your snort.conf?


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!