[Snort-users] Snort IP blacklist issue

Shirkdog shirkdog at ...11827...
Thu Aug 27 17:13:14 EDT 2015


I am not seeing this issue, with the correct permissions with the
latest code (about to release 0.7.2):


    https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2015 JJ Cummings
  @_/        /  66\_  cummingsj at ...11827...
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2975.tar.gz....
Rules tarball download of snortrules-snapshot-2975.tar.gz....
        They Match
        Done!
Checking latest MD5 for community-rules.tar.gz....
Rules tarball download of community-rules.tar.gz....
        They Match
        Done!
IP Blacklist download of
http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf....
Reading IP List...
Checking latest MD5 for opensource.gz....
Rules tarball download of opensource.gz....
        They Match
        Done!
Prepping rules from opensource.gz for work....
        Done!
Prepping rules from community-rules.tar.gz for work....
        Done!
Prepping rules from snortrules-snapshot-2975.tar.gz for work....
        Done!
Reading rules...
Reading rules...
Writing Blacklist File /usr/local/etc/snort/rules/iplists/default.blacklist....
Writing Blacklist Version 825308466 to
/usr/local/etc/snort/rules/iplistsIPRVersion.dat....
Setting Flowbit State....
        Enabled 16 flowbits
        Done
Writing /usr/local/etc/snort/rules/snort.rules....
        Done
Generating sid-msg.map....
        Done
Writing v1 /usr/local/etc/snort/sid-msg.map....
        Done
Writing /var/log/sid_changes.log....
        Done
Rule Stats...
        New:-------0
        Deleted:---0
        Enabled Rules:----8695
        Dropped Rules:----0
        Disabled Rules:---17344
        Total Rules:------26039
IP Blacklist Stats...
        Total IPs:-----6312

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

---
Michael Shirk


On Thu, Aug 27, 2015 at 1:26 PM, ha dinhphu <hadinhphu at ...11827...> wrote:
> It's been a while since I asked about this problem. Does anyone has solution
> for it?
>
> On Fri, Aug 14, 2015 at 1:12 PM, ha dinhphu <hadinhphu at ...11827...> wrote:
>>
>> Hi kitty,
>>
>> Yes my /tmp directory is available with rwx permission by all user. I ran
>> the command as root, so i don't think that's the problem.
>> https://code.google.com/p/pulledpork/issues/detail?id=166 -- another user
>> has the same problem.
>> http://sourceforge.net/p/snort/mailman/message/32913112/  --snort-user
>>
>> On Fri, Aug 14, 2015 at 1:04 PM, waldo kitty <wkitty42 at ...14940...>
>> wrote:
>>>
>>> On 08/14/2015 12:21 PM, ha dinhphu wrote:
>>> > IP Blacklist download of
>>> >
>>> > http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf....
>>> > Reading IP List...
>>> > Couldn't read /tmp/296.170136981772-black_list.rules - No such file or
>>> > directory
>>>
>>> what linux are you using? does it have a working /tmp directory that is
>>> writable
>>> by all users?
>>>
>>> both of your reports have been failures to read a file that should have
>>> been
>>> downloaded into /tmp... these failures seem to point to /tmp not existing
>>> or it
>>> is not writable by the user your pulledpork is running as...
>>>
>>> --
>>>   NOTE: No off-list assistance is given without prior approval.
>>>         *Please keep mailing list traffic on the list* unless
>>>         private contact is specifically requested and granted.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>
>>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list