[Snort-users] blacklist vs black_list :: pulledpork overwrites the files with a list of IP addresses

Steve Crow scrow at ...16818...
Wed Jun 4 16:31:44 EDT 2014

Thank you, that was helpful, I have modified my reputaion list file name.


-----Original Message-----
From: waldo kitty [mailto:wkitty42 at ...14940...] 
Sent: Wednesday, May 28, 2014 9:37 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] blacklist vs black_list :: pulledpork overwrites
the files with a list of IP addresses

On 5/28/2014 4:47 PM, Steve Crow wrote:
> Pulledpork is overwriting my blacklist.rules or black_list.rules files 
> that normally has rules in it with a list IP addresses. Whichever is 
> listed in snort.conf gets overwritten.
> Why are there two similarly named rules files.
> What are their proper uses.
> How does it need to be specified in snort.conf so that pulledpork 
> doesn't overwrite the rules with IP addresses?

the one named in the reputation blacklist/whitelist section is the one that
should have IP addresses in it... the other one is the one with rules in

FWIW: this came up about a year+ ago... at that time, i suggested to VRt
that they rename the reputation blacklist/whitelist files to RP_whitelist
and RP_blacklist specifically so denote them being related to the reputation
processor... i recommend you do the same now and leave the other one named
as it is... i don't recall which is which but your snort.conf will tell you

  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

Time is money. Stop wasting it! Get your web API in 5 minutes.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort

More information about the Snort-users mailing list