[Snort-users] Assistance with Blacklist

Hannibal S. Jackson hannibaljackson at ...131...
Tue Apr 9 10:30:00 EDT 2013


Was asked to enable the reputation preprocessor and configure a black_list.rules file.I'm running it on Windows 7 in a virtual environment. This is how I start snort.


snort -i 1 -c c:\snort\etc\snort.conf -A console 

This is the error I get: <snort-users at ...314...>;



I'm getting ERROR: c:\snort\rules\black_list.rules (4) Invalid configuration 
line: 31.13.69.160 

The only thing I have in my black_list.rules file is this: 


# This is my black_list.rules file for www.facebook.com 
31.13.69.160/0 



It doesn't matter which / I use (CIDR), I get the same 
error, I tried a /8 a /16, nothing mattered.  
The goal is to get it to trigger an alert when someone tries to access that site. We already did this with our basic rules, now we are trying to do it with the preprocessor. Not sure why it's complaining about my configuration of the black_list.rules file. There isn't very many lines, other than the comment and one of the IP's I've found for Facebook as a test when pinging the domain. 

Any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130409/65c015d3/attachment.html>


More information about the Snort-users mailing list