[Snort-users] SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line

waldo kitty wkitty42 at ...14940...
Sat Dec 20 23:09:57 EST 2014

On 12/20/2014 10:18 PM, RŌNIN wrote:
> Hi to everyone:
> Checking my snort.conf file, I found this:
> [root at ...17050... ~]# grep -ir "black" /etc/snort/snort.conf
> #var BLACK_LIST_PATH ../rules
> var BLACK_LIST_PATH /etc/snort/rules
>    blacklist $BLACK_LIST_PATH/black_list.rules

note the above!

> include $RULE_PATH/blacklist.rules
> [root at ...17050... ~]#
> And checking my pulledpork.conf file, I found this:
> root at ...17050... ~]# grep -ir "black" /etc/snort/pulledpork.conf
> # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
> # This format MUST be followed to let pulledpork know that this is a blacklist
> rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
> # want to tell pulledpork where your blacklist file lives, PP automagically will
> black_list=/etc/snort/rules/blacklist.rules

right there is the problem... if i'm reading the excerpts correctly, this should 
be black_list.rules...

FWIW: this type of confusion due to the names being too similar is why i 
advocated a while back that the reputation black list (and white list) names be 
very distinctive... they are still (IMHO) much too close... at that time, i 
advocated that the reputation processor files be named something more indicative 
of their use... rep_black.lst rep_white.lst or something similar... the main 
part being the inclusion of "rep" or even "rpp" for reputation pre-processor and 
possibly even .lst for list since they are just a list of IPs and not rules as 
seen in the textual rules files...

  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list