Snort mailing list archives
Re: Snort IP blacklist issue
From: "Dinh, Cuong" <Cuong.Dinh () ucdenver edu>
Date: Tue, 1 Sep 2015 23:24:54 +0000
I too have the same issue. I’m using the latest version of both Snort and Pulledpork. If anyone finds a solution, I’d love to take a look. Thank you, Cuong Dinh From: Shirkdog Date: Thursday, August 27, 2015 at 4:53 PM To: ha dinhphu Cc: snort-users mailinglist Subject: Re: [Snort-users] Snort IP blacklist issue We would have to see a sanitized copy of your pulledpork.conf (take out your oinkcode) and you need to make sure all of the referenced files/directories in the config exist, and that permissions are not an issue for the user running pulledpork. The howto you referenced was for version 0.7.0, and although there were no major changes til now, the latest blacklist has been tested with the current version of Snort. So also check your versions of the tools. Snort 2.9.7.5 Pulledpork 0.7.2 On Aug 27, 2015 5:16 PM, "ha dinhphu" <hadinhphu () gmail com<mailto:hadinhphu () gmail com>> wrote: well, I followed the instruction from here: http://sublimerobots.com/2014/12/installing-snort-part-5/ which is exactly the same as instruction posted on snort.org<http://snort.org> website. So I don't know where the issue is. On Thu, Aug 27, 2015 at 4:13 PM, Shirkdog <shirkdog () gmail com<mailto:shirkdog () gmail com>> wrote: I am not seeing this issue, with the correct permissions with the latest code (about to release 0.7.2): https://github.com/shirkdog/pulledpork _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.2 - E.Coli in your water bottle! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2015 JJ Cummings @_/ / 66\_ cummingsj () gmail com<mailto:cummingsj () gmail com> | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checking latest MD5 for snortrules-snapshot-2975.tar.gz.... Rules tarball download of snortrules-snapshot-2975.tar.gz.... They Match Done! Checking latest MD5 for community-rules.tar.gz.... Rules tarball download of community-rules.tar.gz.... They Match Done! IP Blacklist download of http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf.... Reading IP List... Checking latest MD5 for opensource.gz.... Rules tarball download of opensource.gz.... They Match Done! Prepping rules from opensource.gz for work.... Done! Prepping rules from community-rules.tar.gz for work.... Done! Prepping rules from snortrules-snapshot-2975.tar.gz for work.... Done! Reading rules... Reading rules... Writing Blacklist File /usr/local/etc/snort/rules/iplists/default.blacklist.... Writing Blacklist Version 825308466 to /usr/local/etc/snort/rules/iplistsIPRVersion.dat.... Setting Flowbit State.... Enabled 16 flowbits Done Writing /usr/local/etc/snort/rules/snort.rules.... Done Generating sid-msg.map.... Done Writing v1 /usr/local/etc/snort/sid-msg.map.... Done Writing /var/log/sid_changes.log.... Done Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----8695 Dropped Rules:----0 Disabled Rules:---17344 Total Rules:------26039 IP Blacklist Stats... Total IPs:-----6312 Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! --- Michael Shirk On Thu, Aug 27, 2015 at 1:26 PM, ha dinhphu <hadinhphu () gmail com<mailto:hadinhphu () gmail com>> wrote:
It's been a while since I asked about this problem. Does anyone has solution for it? On Fri, Aug 14, 2015 at 1:12 PM, ha dinhphu <hadinhphu () gmail com<mailto:hadinhphu () gmail com>> wrote:Hi kitty, Yes my /tmp directory is available with rwx permission by all user. I ran the command as root, so i don't think that's the problem. https://code.google.com/p/pulledpork/issues/detail?id=166 -- another user has the same problem. http://sourceforge.net/p/snort/mailman/message/32913112/ --snort-user On Fri, Aug 14, 2015 at 1:04 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:On 08/14/2015 12:21 PM, ha dinhphu wrote:IP Blacklist download of http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf.... Reading IP List... Couldn't read /tmp/296.170136981772-black_list.rules - No such file or directorywhat linux are you using? does it have a working /tmp directory that is writable by all users? both of your reports have been failures to read a file that should have been downloaded into /tmp... these failures seem to point to /tmp not existing or it is not writable by the user your pulledpork is running as... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort IP blacklist issue ha dinhphu (Aug 27)
- Re: Snort IP blacklist issue Shirkdog (Aug 27)
- Re: Snort IP blacklist issue ha dinhphu (Aug 27)
- Re: Snort IP blacklist issue Shirkdog (Aug 27)
- Re: Snort IP blacklist issue Dinh, Cuong (Sep 01)
- Re: Snort IP blacklist issue Joel Esler (jesler) (Sep 01)
- Re: Snort IP blacklist issue ha dinhphu (Aug 27)
- Re: Snort IP blacklist issue Shirkdog (Aug 27)