[Snort-users] SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line

Jeremy Hoel jthoel at ...11827...
Fri Dec 19 22:51:36 EST 2014


The last line in the error messages points to the issue.  You have a
problem with the file blacklist.rules.  snort.conf is set to read that file
and if you're not using it you should remove it from the snort.conf.
On Dec 19, 2014 8:40 PM, "RŌNIN" <correo.cuervo at ...11827...> wrote:

> I have installed SNORT following this how-to:
> http://blog.globaldyne.co.uk/installing-snort-on-centos-6-6-64bit/ and
> everything goes fine.
>
> After, I followed this how-to (step by step):
>
> http://blog.globaldyne.co.uk/install-pulledpork-and-barnyard2-for-snort-on-centos-6-6-64bit/
> but when I try start it, SNORT fails.
>
> Last messages from my tries:
>
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server key exchange A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read server session ticket A
> SSL_connect:SSLv3 read finished A
> 200 OK (4s)
>         most recent rules file digest: 489712cc1f594ad03958473e8a4c00d0
>         current local rules file  digest: 489712cc1f594ad03958473e8a4c00d0
>         The MD5 for opensource.gz matched 489712cc1f594ad03958473e8a4c00d0
>
> Cleanup....
>         removed 0 temporary snort files or directories from /tmp/tha_rules!
> Writing Blacklist File /etc/snort/rules/blacklist.rules....
> Writing Blacklist Version 909586785 to
> /etc/snort/rules/iplistsIPRVersion.dat....
> Writing /var/log/sid_changes.log....
>         Done
>
> No Rule Changes
>
> IP Blacklist Stats...
>         Total IPs:-----13771
>
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
> [root at ...17050... ~]# service snortd start
> Starting snort:                                            [FAILED]
>
> [root at ...17050... ~]#
>
> Check the last messages:
>
> [root at ...17050... ~]# tail -f /var/log/messages
> Dec 19 21:39:18 snortest snort[17305]:
> Dec 19 21:39:18 snortest snort[17305]: PortVar 'GTP_PORTS' defined :
> Dec 19 21:39:18 snortest snort[17305]:  [ 2123 2152 3386 ]
> Dec 19 21:39:18 snortest snort[17305]:
> Dec 19 21:39:18 snortest snort[17305]: Detection:
> Dec 19 21:39:18 snortest snort[17305]:    Search-Method = AC-Full-Q
> Dec 19 21:39:18 snortest snort[17305]:     Split Any/Any group = enabled
> Dec 19 21:39:18 snortest snort[17305]:     Search-Method-Optimizations =
> enabled
> Dec 19 21:39:18 snortest snort[17305]:     Maximum pattern length = 20
> Dec 19 21:39:18 snortest snort[17305]: FATAL ERROR:
> /etc/snort/rules/blacklist.rules(1) Invalid configuration line:
> 1.120.215.97#012
>
> What's wrong here?
>
> --
> I don't receipt / send information developed in / for M$ -Word, M$
> -Excel, M$ -PowerPoint, M$ -Outlook or similar proprietary formats. I
> invite you to read my reasons:
> http://www.gnu.org/philosophy/no-word-attachments.en.html
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141219/e6952e78/attachment.html>


More information about the Snort-users mailing list