Re: Get Invalid Configuration in blacklist.rules when restart Snort

[Stephen Gantz <stephen.gantz () faculty umuc edu>]

Don't confuse blacklist.rules (one of the VRT rules files) with the blacklist of IP addresses referenced in your 
reputation preprocessor. It looks like you may have edited blacklist.rules instead of the black_list.rules file 
referenced by default by the preprocessor in snort.conf. Bear in mind that black_list.rules does not exist when you 
install Snort - your have to create it (and the white_list.rules file too if you are using a whitelist). I tell my 
students to choose a different name for the blacklist file (the one with the IP addresses) to try to avoid exactly this 
confusion. 

Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz () faculty umuc edu

> On Oct 6, 2014, at 8:56 AM, "Joel Esler (jesler)" <jesler () cisco com> wrote:
>
>
> > On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsecmaniac () gmail com> wrote:
> >
> > Hello,
> >
> > Before I have a problem, I installed pulledpork for getting the latest rule from snort.
> >
> > After that I restart snort but get this error:
> >
> > Oct 06 12:25:55 snort[25714]: Detection:
> > Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q
> > Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled
> > Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled
> > Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20
> > Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 
> > 1.122.106.236
> > Oct 06 12:25:55 snort[25709]: [33B blob data]
> > Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1
> > Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon.
> >
> >
> > but in the blacklist.rules, there are just ip address per line only
> <trim digest>
>
> Looks like you aren’t loading the blacklist as a blacklist inside the preprocessor.  It appears Snort is trying to 
> load the Blacklist as a configuration option or something.
>
> Can you attach your snort.conf?
>
>
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
>
> ------------------------------------------------------------------------------
> Slashdot TV.  Videos for Nerds.  Stuff that Matters.
> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!