[Snort-users] SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line

RŌNIN correo.cuervo at ...11827...
Sat Dec 20 22:18:48 EST 2014


Hi to everyone:

Checking my snort.conf file, I found this:

[root at ...17050... ~]# grep -ir "black" /etc/snort/snort.conf
#var BLACK_LIST_PATH ../rules
var BLACK_LIST_PATH /etc/snort/rules
  blacklist $BLACK_LIST_PATH/black_list.rules
include $RULE_PATH/blacklist.rules
[root at ...17050... ~]#

And checking my pulledpork.conf file, I found this:

root at ...17050... ~]# grep -ir "black" /etc/snort/pulledpork.conf
# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
# This format MUST be followed to let pulledpork know that this is a blacklist
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
# want to tell pulledpork where your blacklist file lives, PP automagically will
black_list=/etc/snort/rules/blacklist.rules
# This should be the same path where your black_list lives!
[root at ...17050... ~]#

Checking the files:

[root at ...17050... ~]# file /etc/snort/rules/black_list.rules
/etc/snort/rules/black_list.rules: empty
[root at ...17050... ~]# file /etc/snort/rules/blacklist.rules
/etc/snort/rules/blacklist.rules: ASCII text
[root at ...17050... ~]#

Messages from console:

[root at ...17050... ~]# pulledpork.pl -vv -c /etc/snort/pulledpork.conf -T -l

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_  cummingsj at ...11827...
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config File Variable Debug /etc/snort/pulledpork.conf
        snort_path = /usr/bin/snort
        enablesid = /etc/snort/enablesid.conf
        black_list = /etc/snort/rules/blacklist.rules
        modifysid = /etc/snort/modifysid.conf
        IPRVersion = /etc/snort/rules/iplists
        rule_path = /etc/snort/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        snort_control = /usr/bin/snort_control
        rule_url = ARRAY(0x21c5cc0)
        sid_msg_version = 1
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /etc/snort/rules/community-rules/sid-msg.map
        config_path = /etc/snort/snort.conf
        temp_path = /tmp
        distro = RHEL-6-0
        version = 0.7.0
        sorule_path = /usr/local/lib/snort_dynamicrules/
        disablesid = /etc/snort/disablesid.conf
        dropsid = /etc/snort/dropsid.conf
        out_path = /etc/snort/rules/
        local_rules = /etc/snort/rules/local.rules
MISC (CLI and Autovar) Variable Debug:
        arch Def is: x86-64
        Config Path is: /etc/snort/pulledpork.conf
        Distro Def is: RHEL-6-0
        Disabled policy specified
        local.rules path is: /etc/snort/rules/local.rules
        Rules file is: /etc/snort/rules/snort.rules
        Path to disablesid file: /etc/snort/disablesid.conf
        Path to dropsid file: /etc/snort/dropsid.conf
        Path to enablesid file: /etc/snort/enablesid.conf
        Path to modifysid file: /etc/snort/modifysid.conf
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /etc/snort/rules/community-rules/sid-msg.map
        Snort Config File: /etc/snort/snort.conf
        Snort Path is: /usr/bin/snort
        Logging Flag is Set
        Text Rules only Flag is Set
        Extra Verbose Flag is Set
        Verbose Flag is Set
        Base URL is:
https://www.snort.org/reg-rules/|snortrules-snapshot-2970.tar.gz|{my_oink_code}
https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
https://www.snort.org/reg-rules/|opensource.gz|{my_oink_code}
Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
        Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/{my_oink_code}
==> SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
200 OK (1s)
        most recent rules file digest: 0db1354779ee27b47ea3dbb7134166e4
        current local rules file  digest: 0db1354779ee27b47ea3dbb7134166e4
        The MD5 for snortrules-snapshot-2970.tar.gz matched
0db1354779ee27b47ea3dbb7134166e4

Checking latest MD5 for community-rules.tar.gz....
        Fetching md5sum for: community-rules.tar.gz.md5
** GET https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5
==> SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
200 OK (31s)
        most recent rules file digest: 89a79ead3145c225a3d85719d7e92629
        current local rules file  digest: a7a28cdd2326e06621241c863b40dd5d
        The MD5 for community-rules.tar.gz did not match the latest
digest... so I am gonna fetch the latest rules file!
Rules tarball download of community-rules.tar.gz....
        Fetching rules file: community-rules.tar.gz
** GET https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
==> SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
200 OK (3s)
        storing file at: /tmp/community-rules.tar.gz

        current local rules file  digest: 89a79ead3145c225a3d85719d7e92629
        The MD5 for community-rules.tar.gz matched
89a79ead3145c225a3d85719d7e92629

IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf....
** GET http://labs.snort.org/feeds/ip-filter.blf ==> 200 OK (1s)
        Reading IP List...
Checking latest MD5 for opensource.gz....
        Fetching md5sum for: opensource.gz.md5
** GET https://www.snort.org/reg-rules/opensource.gz.md5/{my_oink_code}
==> SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
200 OK
        most recent rules file digest: 489712cc1f594ad03958473e8a4c00d0
        current local rules file  digest: 489712cc1f594ad03958473e8a4c00d0
        The MD5 for opensource.gz matched 489712cc1f594ad03958473e8a4c00d0

Prepping rules from opensource.gz for work....
        extracting contents of /tmp/opensource.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
Prepping rules from community-rules.tar.gz for work....
        extracting contents of /tmp/community-rules.tar.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Extracted: /tha_rules/Snort-Community-community.rules
Prepping rules from snortrules-snapshot-2970.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2970.tar.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Extracted: /tha_rules/VRT-indicator-compromise.rules
        Extracted: /tha_rules/VRT-file-executable.rules
        Extracted: /tha_rules/VRT-protocol-dns.rules
        Extracted: /tha_rules/VRT-shellcode.rules
        Extracted: /tha_rules/VRT-browser-chrome.rules
        Extracted: /tha_rules/VRT-icmp-info.rules
        Extracted: /tha_rules/VRT-os-solaris.rules
        Extracted: /tha_rules/VRT-server-oracle.rules
        Extracted: /tha_rules/VRT-multimedia.rules
        Extracted: /tha_rules/VRT-server-other.rules
        Extracted: /tha_rules/VRT-pua-adware.rules
        Extracted: /tha_rules/VRT-browser-ie.rules
        Extracted: /tha_rules/VRT-protocol-voip.rules
        Extracted: /tha_rules/VRT-protocol-ftp.rules
        Extracted: /tha_rules/VRT-blacklist.rules
        Extracted: /tha_rules/VRT-browser-firefox.rules
        Extracted: /tha_rules/VRT-web-client.rules
        Extracted: /tha_rules/VRT-specific-threats.rules
        Extracted: /tha_rules/VRT-web-misc.rules
        Extracted: /tha_rules/VRT-web-php.rules
        Extracted: /tha_rules/VRT-web-frontpage.rules
        Extracted: /tha_rules/VRT-browser-plugins.rules
        Extracted: /tha_rules/VRT-protocol-rpc.rules
        Extracted: /tha_rules/VRT-icmp.rules
        Extracted: /tha_rules/VRT-exploit.rules
        Extracted: /tha_rules/VRT-file-other.rules
        Extracted: /tha_rules/VRT-dns.rules
        Extracted: /tha_rules/VRT-file-image.rules
        Extracted: /tha_rules/VRT-protocol-icmp.rules
        Extracted: /tha_rules/VRT-p2p.rules
        Extracted: /tha_rules/VRT-malware-other.rules
        Extracted: /tha_rules/VRT-decoder.rules
        Extracted: /tha_rules/VRT-nntp.rules
        Extracted: /tha_rules/VRT-protocol-other.rules
        Extracted: /tha_rules/VRT-pua-toolbars.rules
        Extracted: /tha_rules/VRT-malware-cnc.rules
        Extracted: /tha_rules/VRT-attack-responses.rules
        Extracted: /tha_rules/VRT-server-mssql.rules
        Extracted: /tha_rules/VRT-info.rules
        Extracted: /tha_rules/VRT-sensitive-data.rules
        Extracted: /tha_rules/VRT-exploit-kit.rules
        Extracted: /tha_rules/VRT-dos.rules
        Extracted: /tha_rules/VRT-protocol-telnet.rules
        Extracted: /tha_rules/VRT-browser-other.rules
        Extracted: /tha_rules/VRT-malware-tools.rules
        Extracted: /tha_rules/VRT-file-flash.rules
        Extracted: /tha_rules/VRT-policy-multimedia.rules
        Extracted: /tha_rules/VRT-malware-backdoor.rules
        Extracted: /tha_rules/VRT-protocol-snmp.rules
        Extracted: /tha_rules/VRT-tftp.rules
        Extracted: /tha_rules/VRT-web-activex.rules
        Extracted: /tha_rules/VRT-pop3.rules
        Extracted: /tha_rules/VRT-server-webapp.rules
        Extracted: /tha_rules/VRT-server-mail.rules
        Extracted: /tha_rules/VRT-indicator-shellcode.rules
        Extracted: /tha_rules/VRT-protocol-services.rules
        Extracted: /tha_rules/VRT-server-mysql.rules
        Extracted: /tha_rules/VRT-browser-webkit.rules
        Extracted: /tha_rules/VRT-rpc.rules
        Extracted: /tha_rules/VRT-policy-social.rules
        Extracted: /tha_rules/VRT-spyware-put.rules
        Extracted: /tha_rules/VRT-os-windows.rules
        Extracted: /tha_rules/VRT-rservices.rules
        Extracted: /tha_rules/VRT-imap.rules
        Extracted: /tha_rules/VRT-finger.rules
        Extracted: /tha_rules/VRT-content-replace.rules
        Extracted: /tha_rules/VRT-os-mobile.rules
        Extracted: /tha_rules/VRT-sql.rules
        Extracted: /tha_rules/VRT-mysql.rules
        Extracted: /tha_rules/VRT-indicator-obfuscation.rules
        Extracted: /tha_rules/VRT-web-attacks.rules
        Extracted: /tha_rules/VRT-app-detect.rules
        Extracted: /tha_rules/VRT-bad-traffic.rules
        Extracted: /tha_rules/VRT-snmp.rules
        Extracted: /tha_rules/VRT-pua-p2p.rules
        Extracted: /tha_rules/VRT-backdoor.rules
        Extracted: /tha_rules/VRT-protocol-nntp.rules
        Extracted: /tha_rules/VRT-pua-other.rules
        Extracted: /tha_rules/VRT-smtp.rules
        Extracted: /tha_rules/VRT-protocol-imap.rules
        Extracted: /tha_rules/VRT-ddos.rules
        Extracted: /tha_rules/VRT-os-linux.rules
        Extracted: /tha_rules/VRT-policy.rules
        Extracted: /tha_rules/VRT-protocol-tftp.rules
        Extracted: /tha_rules/VRT-web-coldfusion.rules
        Extracted: /tha_rules/VRT-file-java.rules
        Extracted: /tha_rules/VRT-preprocessor.rules
        Extracted: /tha_rules/VRT-protocol-finger.rules
        Extracted: /tha_rules/VRT-file-office.rules
        Extracted: /tha_rules/VRT-ftp.rules
        Extracted: /tha_rules/VRT-netbios.rules
        Extracted: /tha_rules/VRT-protocol-pop.rules
        Extracted: /tha_rules/VRT-misc.rules
        Extracted: /tha_rules/VRT-file-pdf.rules
        Extracted: /tha_rules/VRT-policy-other.rules
        Extracted: /tha_rules/VRT-other-ids.rules
        Extracted: /tha_rules/VRT-telnet.rules
        Extracted: /tha_rules/VRT-oracle.rules
        Extracted: /tha_rules/VRT-pop2.rules
        Extracted: /tha_rules/VRT-os-other.rules
        Extracted: /tha_rules/VRT-chat.rules
        Extracted: /tha_rules/VRT-botnet-cnc.rules
        Extracted: /tha_rules/VRT-virus.rules
        Extracted: /tha_rules/VRT-voip.rules
        Extracted: /tha_rules/VRT-server-apache.rules
        Extracted: /tha_rules/VRT-x11.rules
        Extracted: /tha_rules/VRT-file-identify.rules
        Extracted: /tha_rules/VRT-protocol-scada.rules
        Extracted: /tha_rules/VRT-policy-spam.rules
        Extracted: /tha_rules/VRT-scan.rules
        Extracted: /tha_rules/VRT-web-cgi.rules
        Extracted: /tha_rules/VRT-server-samba.rules
        Extracted: /tha_rules/VRT-scada.rules
        Extracted: /tha_rules/VRT-indicator-scan.rules
        Extracted: /tha_rules/VRT-file-multimedia.rules
        Extracted: /tha_rules/VRT-web-iis.rules
        Extracted: /tha_rules/VRT-phishing-spam.rules
        Extracted: /tha_rules/VRT-server-iis.rules
        Reading rules...
        Reading rules...
Cleanup....
        removed 121 temporary snort files or directories from /tmp/tha_rules!
Writing Blacklist File /etc/snort/rules/blacklist.rules....
Writing Blacklist Version 845308515 to
/etc/snort/rules/iplistsIPRVersion.dat....
Modifying Sids....
        Done!
Processing /etc/snort/enablesid.conf....
        Modified 0 rules
        Done
Processing /etc/snort/dropsid.conf....
        Modified 0 rules
        Done
Processing /etc/snort/disablesid.conf....
        Modified 0 rules
        Done
Setting Flowbit State....
        Enabled 23 flowbits
        Done
Writing /etc/snort/rules/snort.rules....
        Done
Generating sid-msg.map....
        Done
Writing v1 /etc/snort/rules/community-rules/sid-msg.map....
        Done
Writing /var/log/sid_changes.log....
        Done
Rule Stats...
        New:-------46
        Deleted:---16
        Enabled Rules:----6302
        Dropped Rules:----0
        Disabled Rules:---16530
        Total Rules:------22832
IP Blacklist Stats...
        Total IPs:-----13809

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
[root at ...17050... ~]# service snortd start
Starting snort:                                            [FAILED]
[root at ...17050... ~]# tail -f /var/log/messages
Dec 20 21:58:22 centos6 snort[1304]:
Dec 20 21:58:22 centos6 snort[1304]: PortVar 'GTP_PORTS' defined :
Dec 20 21:58:22 centos6 snort[1304]:  [ 2123 2152 3386 ]
Dec 20 21:58:22 centos6 snort[1304]:
Dec 20 21:58:22 centos6 snort[1304]: Detection:
Dec 20 21:58:22 centos6 snort[1304]:    Search-Method = AC-Full-Q
Dec 20 21:58:22 centos6 snort[1304]:     Split Any/Any group = enabled
Dec 20 21:58:22 centos6 snort[1304]:     Search-Method-Optimizations = enabled
Dec 20 21:58:22 centos6 snort[1304]:     Maximum pattern length = 20
Dec 20 21:58:22 centos6 snort[1304]: FATAL ERROR:
/etc/snort/rules/blacklist.rules(1) Invalid configuration line:
1.120.215.97#012


What's wrong here?


Thanks by your help.




More information about the Snort-users mailing list