[Snort-users] Assistance with Blacklist
Hannibal S. Jackson
hannibaljackson at ...131...
Tue Apr 9 10:30:00 EDT 2013
Was asked to enable the reputation preprocessor and configure a black_list.rules file.I'm running it on Windows 7 in a virtual environment. This is how I start snort.
snort -i 1 -c c:\snort\etc\snort.conf -A console
This is the error I get: <snort-users at ...314...>;
I'm getting ERROR: c:\snort\rules\black_list.rules (4) Invalid configuration
The only thing I have in my black_list.rules file is this:
# This is my black_list.rules file for www.facebook.com
It doesn't matter which / I use (CIDR), I get the same
error, I tried a /8 a /16, nothing mattered.
The goal is to get it to trigger an alert when someone tries to access that site. We already did this with our basic rules, now we are trying to do it with the preprocessor. Not sure why it's complaining about my configuration of the black_list.rules file. There isn't very many lines, other than the comment and one of the IP's I've found for Facebook as a test when pinging the domain.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users