[Snort-users] Assistance with Blacklist

Joel Esler jesler at ...1935...
Wed Apr 10 08:22:37 EDT 2013


I'll fix this when we push the new version of pulledpork. 

--
Joel Esler
Sent from my iPhone 

On Apr 10, 2013, at 7:33 AM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 4/10/2013 06:49, Hannibal S. Jackson wrote:
>> Thanks, I figured it out. I appreciate everyone's help. The error wasn't the
>> black_list.rules file, it was actually in the snort.conf. In Step 5, where I
>> enabled the reputation preprocessor, I also uncommented the include line in Step
>> 7. Once I commented out the include line in Step 7, it worked. Didn't know that
>> having both uncommented would cause an issue. Although the error kept pointing
>> to the black_list.rules it was actually the snort.conf. Thanks again for all of
>> the help.
> 
> ahhh! that means that someone has the file(s) named incorrectly... the VRT rules 
> set comes with a file names blacklist.rules... this is /not/ the same as 
> default.blacklist as used in the reputation processor examples... if one were to 
> use their own filenames, i would go with black.list for the reputation 
> preprocessor... in this way, you know without having to look too far that this 
> is a list whereas the *.rules files are... well... rules ;)
> 
> i note also that the location of the default.blacklist and default.whitelist is 
> different than the *.rules files in most of the examples... the rules are in 
> some/where/rules whereas other config related files are found elsewhere... maybe 
> in /etc/snort or even /etc directly...
> 
> which reminds me... i need to get a copy of the latest sample snort.conf from 
> VRT and update the one i've been using for my snorts... ugh, what a nasty job 
> that is going to be :/
> 
>> --------------------------------------------------------------------------------
>> *From:* waldo kitty <wkitty42 at ...14940...>
>> *To:* snort-users at lists.sourceforge.net
>> *Sent:* Tuesday, April 9, 2013 8:15 PM
>> *Subject:* Re: [Snort-users] Assistance with Blacklist
>> 
>> On 4/9/2013 15:57, Hannibal S. Jackson wrote:
>>> I didn't try to verify yet b/c I can't get snort to run properly, it exists when
>>> it's starting up because it's having an issue with that line in the
>>> black_list.rules file. If I comment that white and black lists out in the
>>> snort.conf, snort starts just fine.
>> 
>> please provide...
>> 
>> 1. the error message from the log file
>> 2. the contents of your blacklist file
>> 3. the reputation processor lines from your snort.conf file
>> 4. the results of "snort -V" without the quotes
>> 
>> i think that will handle it...
>> 
>>> --------------------------------------------------------------------------------
>>> *From:* waldo kitty <wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>>
>>> *To:* Hannibal S. Jackson <hannibaljackson at ...131...
>> <mailto:hannibaljackson at ...131...>>;
>>> "snort-users at lists.sourceforge.net
>> <mailto:snort-users at lists.sourceforge.net>" <snort-users at ...3471...ge.net
>> <mailto:snort-users at lists.sourceforge.net>>
>>> *Sent:* Tuesday, April 9, 2013 2:31 PM
>>> *Subject:* Re: [Snort-users] Assistance with Blacklist
>>> 
>>> 
>>> 
>>> On 4/9/2013 12:59, Hannibal S. Jackson wrote:
>>>> So you have to use a CIDR notation?
>>> 
>>> i don't know... your post used an invalid CIDR notation so i took an eWAG and
>>> figured that you were wanting to block the entire network that that IP belongs
>>> to... a quick lookup showed that it belongs to facebook so i continued with the
>>> eWAG and guessed that the entire network was what you were wanting to block...
>>> you can't start a CIDR entry in the middle of the netblock, TTBOMK... you have
>>> to list it with the network's address... 31.13.64.0 in this case...
>>> 
>>>> It's for a class and he just wanted to see
>>>> if we could get it working. Obviously facebook has a bunch of IP's; however, I
>>>> tried to put just the IP in the file without the CIDR mask and it didn't work.
>>> 
>>> what didn't work? accessing that IP? how did you try to verify it? did you try
>>> going to facebook and you were successful? this may be problematic because the
>>> browser may have had the page cached and pulled it from there OR the DNS may
>>> have given you another IP for facebook...
>>> 
>>>> The examples I found online showed some with it and some without it. I tired /0
>>>> /8 /16 and then gave up. Thanks, I'll try that when I get back to my machine.
>>> 
>>> start here -> http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf
>>> 
>>> section 2.2.19 Reputation Processor (pg. 118) then croll down to the bottom of
>>> page 119 and the top of page 120 for working examples... the default.whitelist
>>> example does show plain IPs without any type of mask...
>>> 
>>> barring that, i've offered what i know and dug up from the docs ;)
>>> 
>> --------------------------------------------------------------------------------
>>>> *From:* waldo kitty <wkitty42 at ...14940...
>> <mailto:wkitty42 at ...14940...> <mailto:wkitty42 at ...14940...
>> <mailto:wkitty42 at ...14940...>>>
>>>> *To:* snort-users at lists.sourceforge.net
>> <mailto:snort-users at lists.sourceforge.net>
>>> <mailto:snort-users at lists.sourceforge.net
>> <mailto:snort-users at lists.sourceforge.net>>
>>>> *Sent:* Tuesday, April 9, 2013 12:44 PM
>>>> *Subject:* Re: [Snort-users] Assistance with Blacklist
>>>> 
>>>> On 4/9/2013 10:30, Hannibal S. Jackson wrote:
>>>>> I'm getting ERROR: c:\snort\rules\black_list.rules (4) Invalid configuration
>>>>> line: 31.13.69.160
>>>>> 
>>>>> The only thing I have in my black_list.rules file is this:
>>>>> 
>>>>> # This is my black_list.rules file for www.facebook.com
>>> <http://www.facebook.com/>
>>>> <http://www.facebook.com/>
>>>>> 31.13.69.160/0
>>>> 
>>>> this is not a valid network address or CIDR mask... the address is a
>>>> workstation/server address, though... you need to use a proper network address
>>>> and CIDR mask...
>>>> 
>>>> in this case, the facebook network range is 31.13.64.0 - 31.13.127.255 so the
>>>> proper mask would be 31.13.64.0/18
>>>> 
>>>> 
>>>> IP Address : 31.13.64.0
>>>> Address Class : Classless /18
>>>> Network Address : 31.13.64.0
>>>> 
>>>> Subnet Address : 31.13.64.0
>>>> Subnet Mask : 255.255.192.0
>>>> Subnet bit mask : nnnnnnnn.nnnnnnnn.nnhhhhhh.hhhhhhhh
>>>> Subnet Bits : 18
>>>> Host Bits : 14
>>>> Number of Subnets : 1
>>>> Hosts per Subnet : 16382
>>>> 
>>>> Subnet : 31.13.64.0
>>>> Mask : 255.255.192.0
>>>> Subnet Size : 16382 Hosts
>>>> Host Range : 31.13.64.1 to 31.13.127.254
>>>> Broadcast : 31.13.127.255
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130410/d714b5bc/attachment.html>


More information about the Snort-users mailing list