Snort mailing list archives

Re: Get Invalid Configuration in blacklist.rules when restart Snort

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 6 Oct 2014 14:26:55 +0000

Good call Stephen…


I’m sure I have the power to fix this issue…

J

On Oct 6, 2014, at 10:21 AM, Stephen Gantz <stephen.gantz () faculty umuc edu> wrote:

Don't confuse blacklist.rules (one of the VRT rules files) with the blacklist of IP addresses referenced in your 
reputation preprocessor. It looks like you may have edited blacklist.rules instead of the black_list.rules file 
referenced by default by the preprocessor in snort.conf. Bear in mind that black_list.rules does not exist when you 
install Snort - your have to create it (and the white_list.rules file too if you are using a whitelist). I tell my 
students to choose a different name for the blacklist file (the one with the IP addresses) to try to avoid exactly 
this confusion. 

Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz () faculty umuc edu <mailto:stephen.gantz () faculty umuc edu>

On Oct 6, 2014, at 8:56 AM, "Joel Esler (jesler)" <jesler () cisco com <mailto:jesler () cisco com>> wrote:

On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsecmaniac () gmail com <mailto:thsecmaniac () gmail com>> 
wrote:

Hello,

Before I have a problem, I installed pulledpork for getting the latest rule from snort.

After that I restart snort but get this error:

Oct 06 12:25:55 snort[25714]: Detection:
Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q
Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled
Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled
Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20
Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 
1.122.106.236
Oct 06 12:25:55 snort[25709]: [33B blob data]
Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1
Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon.


but in the blacklist.rules, there are just ip address per line only

<trim digest>

Looks like you aren’t loading the blacklist as a blacklist inside the preprocessor.  It appears Snort is trying to 
load the Blacklist as a configuration option or something.

Can you attach your snort.conf?


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk 
<http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk>_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>

Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 05)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
  - Re: Get Invalid Configuration in blacklist.rules when restart Snort Stephen Gantz (Oct 06)
    - Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
- <Possible follow-ups>
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 07)