[Snort-users] Assistance with Blacklist

Joel Esler jesler at ...1935...
Tue Apr 9 20:28:44 EDT 2013


Send your whole snort.conf.  Just in case. 

--
Joel Esler
Sent from my iPhone 

On Apr 9, 2013, at 8:15 PM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 4/9/2013 15:57, Hannibal S. Jackson wrote:
>> I didn't try to verify yet b/c I can't get snort to run properly, it exists when
>> it's starting up because it's having an issue with that line in the
>> black_list.rules file. If I comment that white and black lists out in the
>> snort.conf, snort starts just fine.
> 
> please provide...
> 
> 1. the error message from the log file
> 2. the contents of your blacklist file
> 3. the reputation processor lines from your snort.conf file
> 4. the results of "snort -V" without the quotes
> 
> i think that will handle it...
> 
>> --------------------------------------------------------------------------------
>> *From:* waldo kitty <wkitty42 at ...14940...>
>> *To:* Hannibal S. Jackson <hannibaljackson at ...131...>;
>> "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
>> *Sent:* Tuesday, April 9, 2013 2:31 PM
>> *Subject:* Re: [Snort-users] Assistance with Blacklist
>> 
>> 
>> 
>> On 4/9/2013 12:59, Hannibal S. Jackson wrote:
>>> So you have to use a CIDR notation?
>> 
>> i don't know... your post used an invalid CIDR notation so i took an eWAG and
>> figured that you were wanting to block the entire network that that IP belongs
>> to... a quick lookup showed that it belongs to facebook so i continued with the
>> eWAG and guessed that the entire network was what you were wanting to block...
>> you can't start a CIDR entry in the middle of the netblock, TTBOMK... you have
>> to list it with the network's address... 31.13.64.0 in this case...
>> 
>>> It's for a class and he just wanted to see
>>> if we could get it working. Obviously facebook has a bunch of IP's; however, I
>>> tried to put just the IP in the file without the CIDR mask and it didn't work.
>> 
>> what didn't work? accessing that IP? how did you try to verify it? did you try
>> going to facebook and you were successful? this may be problematic because the
>> browser may have had the page cached and pulled it from there OR the DNS may
>> have given you another IP for facebook...
>> 
>>> The examples I found online showed some with it and some without it. I tired /0
>>> /8 /16 and then gave up. Thanks, I'll try that when I get back to my machine.
>> 
>> start here -> http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf
>> 
>> section 2.2.19 Reputation Processor (pg. 118) then croll down to the bottom of
>> page 119 and the top of page 120 for working examples... the default.whitelist
>> example does show plain IPs without any type of mask...
>> 
>> barring that, i've offered what i know and dug up from the docs ;)
>> 
>>> 
>>> 
>>> --------------------------------------------------------------------------------
>>> *From:* waldo kitty <wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>>
>>> *To:* snort-users at lists.sourceforge.net
>> <mailto:snort-users at lists.sourceforge.net>
>>> *Sent:* Tuesday, April 9, 2013 12:44 PM
>>> *Subject:* Re: [Snort-users] Assistance with Blacklist
>>> 
>>> On 4/9/2013 10:30, Hannibal S. Jackson wrote:
>>>> I'm getting ERROR: c:\snort\rules\black_list.rules (4) Invalid configuration
>>>> line: 31.13.69.160
>>>> 
>>>> The only thing I have in my black_list.rules file is this:
>>>> 
>>>> # This is my black_list.rules file for www.facebook.com
>> <http://www.facebook.com/>
>>> <http://www.facebook.com/>
>>>> 31.13.69.160/0
>>> 
>>> this is not a valid network address or CIDR mask... the address is a
>>> workstation/server address, though... you need to use a proper network address
>>> and CIDR mask...
>>> 
>>> in this case, the facebook network range is 31.13.64.0 - 31.13.127.255 so the
>>> proper mask would be 31.13.64.0/18
>>> 
>>> 
>>> IP Address : 31.13.64.0
>>> Address Class : Classless /18
>>> Network Address : 31.13.64.0
>>> 
>>> Subnet Address : 31.13.64.0
>>> Subnet Mask : 255.255.192.0
>>> Subnet bit mask : nnnnnnnn.nnnnnnnn.nnhhhhhh.hhhhhhhh
>>> Subnet Bits : 18
>>> Host Bits : 14
>>> Number of Subnets : 1
>>> Hosts per Subnet : 16382
>>> 
>>> Subnet : 31.13.64.0
>>> Mask : 255.255.192.0
>>> Subnet Size : 16382 Hosts
>>> Host Range : 31.13.64.1 to 31.13.127.254
>>> Broadcast : 31.13.127.255
> 
> 
> 
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130409/dab702e2/attachment.html>


More information about the Snort-users mailing list