[Snort-users] SNORT + PulledPork: FATAL ERROR: ... Invalid configuration line

RŌNIN correo.cuervo at ...11827...
Sun Dec 21 08:30:29 EST 2014


Hi to everyone:

I've changed snort.conf file:

[root at ...17050... ~]# grep -ir "black" /etc/snort/snort.conf
#var BLACK_LIST_PATH ../rules
var BLACK_LIST_PATH /etc/snort/rules
  blacklist $BLACK_LIST_PATH/black_list.rules
include $RULE_PATH/black_list.rules

And now SNORT is running:

[root at ...17050... ~]# service snortd start
Starting snort: Spawning daemon child...
My daemon child 1366 lives...
Daemon parent exiting (0)
                                                           [  OK  ]
[root at ...17050... ~]# tail -f /var/log/messages
Dec 21 08:21:29 centos6 snort[1366]:            Preprocessor Object:
SF_REPUTATION  Version 1.1  <Build 1>
Dec 21 08:21:29 centos6 snort[1366]:            Preprocessor Object:
SF_SIP  Version 1.1  <Build 1>
Dec 21 08:21:29 centos6 snort[1366]:            Preprocessor Object:
SF_SSLPP  Version 1.1  <Build 4>
Dec 21 08:21:29 centos6 snort[1366]:            Preprocessor Object:
SF_DNS  Version 1.1  <Build 4>
Dec 21 08:21:29 centos6 snort[1366]:            Preprocessor Object:
SF_SMTP  Version 1.1  <Build 9>
Dec 21 08:21:29 centos6 snort[1366]:            Preprocessor Object:
SF_DCERPC2  Version 1.0  <Build 3>
Dec 21 08:21:29 centos6 snort[1366]:            Preprocessor Object:
SF_GTP  Version 1.1  <Build 1>
Dec 21 08:21:29 centos6 snort[1366]:            Preprocessor Object:
SF_SSH  Version 1.1  <Build 3>
Dec 21 08:21:29 centos6 snort[1366]:            Preprocessor Object:
SF_DNP3  Version 1.1  <Build 1>
Dec 21 08:21:29 centos6 snort[1366]: Commencing packet processing (pid=1366)

[root at ...17050... ~]# grep -ir "black" /etc/snort/pulledpork.conf
# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
# This format MUST be followed to let pulledpork know that this is a blacklist
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
# want to tell pulledpork where your blacklist file lives, PP automagically will
black_list=/etc/snort/rules/blacklist.rules
# This should be the same path where your black_list lives!

Must I change something in pulledpork.conf file or not?

A lot of thanks by your help!.




More information about the Snort-users mailing list