[Snort-users] Snort IP blacklist issue

ha dinhphu hadinhphu at ...11827...
Thu Aug 27 17:16:24 EDT 2015


well,

I followed the instruction from here:
http://sublimerobots.com/2014/12/installing-snort-part-5/ which is exactly
the same as instruction posted on snort.org website. So I don't know where
the issue is.


On Thu, Aug 27, 2015 at 4:13 PM, Shirkdog <shirkdog at ...11827...> wrote:

> I am not seeing this issue, with the correct permissions with the
> latest code (about to release 0.7.2):
>
>
>     https://github.com/shirkdog/pulledpork
>       _____ ____
>      `----,\    )
>       `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!
>        `--==\\/
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2015 JJ Cummings
>   @_/        /  66\_  cummingsj at ...11827...
>     |    \   \   _(")
>      \   /-| ||'--'  Rules give me wings!
>       \_\  \_\\
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Checking latest MD5 for snortrules-snapshot-2975.tar.gz....
> Rules tarball download of snortrules-snapshot-2975.tar.gz....
>         They Match
>         Done!
> Checking latest MD5 for community-rules.tar.gz....
> Rules tarball download of community-rules.tar.gz....
>         They Match
>         Done!
> IP Blacklist download of
>
> http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf..
> ..
> Reading IP List...
> Checking latest MD5 for opensource.gz....
> Rules tarball download of opensource.gz....
>         They Match
>         Done!
> Prepping rules from opensource.gz for work....
>         Done!
> Prepping rules from community-rules.tar.gz for work....
>         Done!
> Prepping rules from snortrules-snapshot-2975.tar.gz for work....
>         Done!
> Reading rules...
> Reading rules...
> Writing Blacklist File
> /usr/local/etc/snort/rules/iplists/default.blacklist....
> Writing Blacklist Version 825308466 to
> /usr/local/etc/snort/rules/iplistsIPRVersion.dat....
> Setting Flowbit State....
>         Enabled 16 flowbits
>         Done
> Writing /usr/local/etc/snort/rules/snort.rules....
>         Done
> Generating sid-msg.map....
>         Done
> Writing v1 /usr/local/etc/snort/sid-msg.map....
>         Done
> Writing /var/log/sid_changes.log....
>         Done
> Rule Stats...
>         New:-------0
>         Deleted:---0
>         Enabled Rules:----8695
>         Dropped Rules:----0
>         Disabled Rules:---17344
>         Total Rules:------26039
> IP Blacklist Stats...
>         Total IPs:-----6312
>
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
>
> ---
> Michael Shirk
>
>
> On Thu, Aug 27, 2015 at 1:26 PM, ha dinhphu <hadinhphu at ...11827...> wrote:
> > It's been a while since I asked about this problem. Does anyone has
> solution
> > for it?
> >
> > On Fri, Aug 14, 2015 at 1:12 PM, ha dinhphu <hadinhphu at ...11827...> wrote:
> >>
> >> Hi kitty,
> >>
> >> Yes my /tmp directory is available with rwx permission by all user. I
> ran
> >> the command as root, so i don't think that's the problem.
> >> https://code.google.com/p/pulledpork/issues/detail?id=166 -- another
> user
> >> has the same problem.
> >> http://sourceforge.net/p/snort/mailman/message/32913112/  --snort-user
> >>
> >> On Fri, Aug 14, 2015 at 1:04 PM, waldo kitty <wkitty42 at ...14940...>
> >> wrote:
> >>>
> >>> On 08/14/2015 12:21 PM, ha dinhphu wrote:
> >>> > IP Blacklist download of
> >>> >
> >>> >
> http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf..
> ..
> >>> > Reading IP List...
> >>> > Couldn't read /tmp/296.170136981772-black_list.rules - No such file
> or
> >>> > directory
> >>>
> >>> what linux are you using? does it have a working /tmp directory that is
> >>> writable
> >>> by all users?
> >>>
> >>> both of your reports have been failures to read a file that should have
> >>> been
> >>> downloaded into /tmp... these failures seem to point to /tmp not
> existing
> >>> or it
> >>> is not writable by the user your pulledpork is running as...
> >>>
> >>> --
> >>>   NOTE: No off-list assistance is given without prior approval.
> >>>         *Please keep mailing list traffic on the list* unless
> >>>         private contact is specifically requested and granted.
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>>
> >>> Please visit http://blog.snort.org to stay current on all the latest
> >>> Snort news!
> >>
> >>
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150827/ea871ff2/attachment.html>


More information about the Snort-users mailing list