[Snort-users] SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line
wkitty42 at ...14940...
Sat Dec 20 23:09:57 EST 2014
On 12/20/2014 10:18 PM, RŌNIN wrote:
> Hi to everyone:
> Checking my snort.conf file, I found this:
> [root at ...17050... ~]# grep -ir "black" /etc/snort/snort.conf
> #var BLACK_LIST_PATH ../rules
> var BLACK_LIST_PATH /etc/snort/rules
> blacklist $BLACK_LIST_PATH/black_list.rules
note the above!
> include $RULE_PATH/blacklist.rules
> [root at ...17050... ~]#
> And checking my pulledpork.conf file, I found this:
> root at ...17050... ~]# grep -ir "black" /etc/snort/pulledpork.conf
> # NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
> # This format MUST be followed to let pulledpork know that this is a blacklist
> # want to tell pulledpork where your blacklist file lives, PP automagically will
right there is the problem... if i'm reading the excerpts correctly, this should
FWIW: this type of confusion due to the names being too similar is why i
advocated a while back that the reputation black list (and white list) names be
very distinctive... they are still (IMHO) much too close... at that time, i
advocated that the reputation processor files be named something more indicative
of their use... rep_black.lst rep_white.lst or something similar... the main
part being the inclusion of "rep" or even "rpp" for reputation pre-processor and
possibly even .lst for list since they are just a list of IPs and not rules as
seen in the textual rules files...
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users