[Snort-users] Assistance with Blacklist

waldo kitty wkitty42 at ...14940...
Wed Apr 10 07:33:47 EDT 2013


On 4/10/2013 06:49, Hannibal S. Jackson wrote:
> Thanks, I figured it out. I appreciate everyone's help. The error wasn't the
> black_list.rules file, it was actually in the snort.conf. In Step 5, where I
> enabled the reputation preprocessor, I also uncommented the include line in Step
> 7. Once I commented out the include line in Step 7, it worked. Didn't know that
> having both uncommented would cause an issue. Although the error kept pointing
> to the black_list.rules it was actually the snort.conf. Thanks again for all of
> the help.

ahhh! that means that someone has the file(s) named incorrectly... the VRT rules 
set comes with a file names blacklist.rules... this is /not/ the same as 
default.blacklist as used in the reputation processor examples... if one were to 
use their own filenames, i would go with black.list for the reputation 
preprocessor... in this way, you know without having to look too far that this 
is a list whereas the *.rules files are... well... rules ;)

i note also that the location of the default.blacklist and default.whitelist is 
different than the *.rules files in most of the examples... the rules are in 
some/where/rules whereas other config related files are found elsewhere... maybe 
in /etc/snort or even /etc directly...

which reminds me... i need to get a copy of the latest sample snort.conf from 
VRT and update the one i've been using for my snorts... ugh, what a nasty job 
that is going to be :/

> --------------------------------------------------------------------------------
> *From:* waldo kitty <wkitty42 at ...14940...>
> *To:* snort-users at lists.sourceforge.net
> *Sent:* Tuesday, April 9, 2013 8:15 PM
> *Subject:* Re: [Snort-users] Assistance with Blacklist
>
> On 4/9/2013 15:57, Hannibal S. Jackson wrote:
>  > I didn't try to verify yet b/c I can't get snort to run properly, it exists when
>  > it's starting up because it's having an issue with that line in the
>  > black_list.rules file. If I comment that white and black lists out in the
>  > snort.conf, snort starts just fine.
>
> please provide...
>
> 1. the error message from the log file
> 2. the contents of your blacklist file
> 3. the reputation processor lines from your snort.conf file
> 4. the results of "snort -V" without the quotes
>
> i think that will handle it...
>
>  > --------------------------------------------------------------------------------
>  > *From:* waldo kitty <wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>>
>  > *To:* Hannibal S. Jackson <hannibaljackson at ...131...
> <mailto:hannibaljackson at ...131...>>;
>  > "snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>>
>  > *Sent:* Tuesday, April 9, 2013 2:31 PM
>  > *Subject:* Re: [Snort-users] Assistance with Blacklist
>  >
>  >
>  >
>  > On 4/9/2013 12:59, Hannibal S. Jackson wrote:
>  > > So you have to use a CIDR notation?
>  >
>  > i don't know... your post used an invalid CIDR notation so i took an eWAG and
>  > figured that you were wanting to block the entire network that that IP belongs
>  > to... a quick lookup showed that it belongs to facebook so i continued with the
>  > eWAG and guessed that the entire network was what you were wanting to block...
>  > you can't start a CIDR entry in the middle of the netblock, TTBOMK... you have
>  > to list it with the network's address... 31.13.64.0 in this case...
>  >
>  > > It's for a class and he just wanted to see
>  > > if we could get it working. Obviously facebook has a bunch of IP's; however, I
>  > > tried to put just the IP in the file without the CIDR mask and it didn't work.
>  >
>  > what didn't work? accessing that IP? how did you try to verify it? did you try
>  > going to facebook and you were successful? this may be problematic because the
>  > browser may have had the page cached and pulled it from there OR the DNS may
>  > have given you another IP for facebook...
>  >
>  > > The examples I found online showed some with it and some without it. I tired /0
>  > > /8 /16 and then gave up. Thanks, I'll try that when I get back to my machine.
>  >
>  > start here -> http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf
>  >
>  > section 2.2.19 Reputation Processor (pg. 118) then croll down to the bottom of
>  > page 119 and the top of page 120 for working examples... the default.whitelist
>  > example does show plain IPs without any type of mask...
>  >
>  > barring that, i've offered what i know and dug up from the docs ;)
>  >
>  > >
>  > >
>  > >
> --------------------------------------------------------------------------------
>  > > *From:* waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...> <mailto:wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>>>
>  > > *To:* snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>
>  > <mailto:snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>>
>  > > *Sent:* Tuesday, April 9, 2013 12:44 PM
>  > > *Subject:* Re: [Snort-users] Assistance with Blacklist
>  > >
>  > > On 4/9/2013 10:30, Hannibal S. Jackson wrote:
>  > > > I'm getting ERROR: c:\snort\rules\black_list.rules (4) Invalid configuration
>  > > > line: 31.13.69.160
>  > > >
>  > > > The only thing I have in my black_list.rules file is this:
>  > > >
>  > > > # This is my black_list.rules file for www.facebook.com
>  > <http://www.facebook.com/>
>  > > <http://www.facebook.com/>
>  > > > 31.13.69.160/0
>  > >
>  > > this is not a valid network address or CIDR mask... the address is a
>  > > workstation/server address, though... you need to use a proper network address
>  > > and CIDR mask...
>  > >
>  > > in this case, the facebook network range is 31.13.64.0 - 31.13.127.255 so the
>  > > proper mask would be 31.13.64.0/18
>  > >
>  > >
>  > > IP Address : 31.13.64.0
>  > > Address Class : Classless /18
>  > > Network Address : 31.13.64.0
>  > >
>  > > Subnet Address : 31.13.64.0
>  > > Subnet Mask : 255.255.192.0
>  > > Subnet bit mask : nnnnnnnn.nnnnnnnn.nnhhhhhh.hhhhhhhh
>  > > Subnet Bits : 18
>  > > Host Bits : 14
>  > > Number of Subnets : 1
>  > > Hosts per Subnet : 16382
>  > >
>  > > Subnet : 31.13.64.0
>  > > Mask : 255.255.192.0
>  > > Subnet Size : 16382 Hosts
>  > > Host Range : 31.13.64.1 to 31.13.127.254
>  > > Broadcast : 31.13.127.255







More information about the Snort-users mailing list