[Snort-users] blacklist vs black_list :: pulledpork overwrites the files with a list of IP addresses

waldo kitty wkitty42 at ...14940...
Wed May 28 22:37:23 EDT 2014

On 5/28/2014 4:47 PM, Steve Crow wrote:
> Pulledpork is overwriting my blacklist.rules or black_list.rules files that
> normally has rules in it with a list IP addresses. Whichever is listed in
> snort.conf gets overwritten.
> Why are there two similarly named rules files.
> What are their proper uses.
> How does it need to be specified in snort.conf so that pulledpork doesn't
> overwrite the rules with IP addresses?

the one named in the reputation blacklist/whitelist section is the one that 
should have IP addresses in it... the other one is the one with rules in it...

FWIW: this came up about a year+ ago... at that time, i suggested to VRt that 
they rename the reputation blacklist/whitelist files to RP_whitelist and 
RP_blacklist specifically so denote them being related to the reputation 
processor... i recommend you do the same now and leave the other one named as it 
is... i don't recall which is which but your snort.conf will tell you ;)

  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list