[Snort-users] Assistance with Blacklist

waldo kitty wkitty42 at ...14940...
Tue Apr 9 14:31:28 EDT 2013



On 4/9/2013 12:59, Hannibal S. Jackson wrote:
> So you have to use a CIDR notation?

i don't know... your post used an invalid CIDR notation so i took an eWAG and 
figured that you were wanting to block the entire network that that IP belongs 
to... a quick lookup showed that it belongs to facebook so i continued with the 
eWAG and guessed that the entire network was what you were wanting to block... 
you can't start a CIDR entry in the middle of the netblock, TTBOMK... you have 
to list it with the network's address... 31.13.64.0 in this case...

> It's for a class and he just wanted to see
> if we could get it working. Obviously facebook has a bunch of IP's; however, I
> tried to put just the IP in the file without the CIDR mask and it didn't work.

what didn't work? accessing that IP? how did you try to verify it? did you try 
going to facebook and you were successful? this may be problematic because the 
browser may have had the page cached and pulled it from there OR the DNS may 
have given you another IP for facebook...

> The examples I found online showed some with it and some without it. I tired /0
> /8 /16 and then gave up. Thanks, I'll try that when I get back to my machine.

start here -> http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf

section 2.2.19 Reputation Processor (pg. 118) then croll down to the bottom of 
page 119 and the top of page 120 for working examples... the default.whitelist 
example does show plain IPs without any type of mask...

barring that, i've offered what i know and dug up from the docs ;)

>
>
> --------------------------------------------------------------------------------
> *From:* waldo kitty <wkitty42 at ...14940...>
> *To:* snort-users at lists.sourceforge.net
> *Sent:* Tuesday, April 9, 2013 12:44 PM
> *Subject:* Re: [Snort-users] Assistance with Blacklist
>
> On 4/9/2013 10:30, Hannibal S. Jackson wrote:
>  > I'm getting ERROR: c:\snort\rules\black_list.rules (4) Invalid configuration
>  > line: 31.13.69.160
>  >
>  > The only thing I have in my black_list.rules file is this:
>  >
>  > # This is my black_list.rules file for www.facebook.com
> <http://www.facebook.com/>
>  > 31.13.69.160/0
>
> this is not a valid network address or CIDR mask... the address is a
> workstation/server address, though... you need to use a proper network address
> and CIDR mask...
>
> in this case, the facebook network range is 31.13.64.0 - 31.13.127.255 so the
> proper mask would be 31.13.64.0/18
>
>
> IP Address : 31.13.64.0
> Address Class : Classless /18
> Network Address : 31.13.64.0
>
> Subnet Address : 31.13.64.0
> Subnet Mask : 255.255.192.0
> Subnet bit mask : nnnnnnnn.nnnnnnnn.nnhhhhhh.hhhhhhhh
> Subnet Bits : 18
> Host Bits : 14
> Number of Subnets : 1
> Hosts per Subnet : 16382
>
> Subnet : 31.13.64.0
> Mask : 255.255.192.0
> Subnet Size : 16382 Hosts
> Host Range : 31.13.64.1 to 31.13.127.254
> Broadcast : 31.13.127.255






More information about the Snort-users mailing list