[Snort-users] Snort IP blacklist issue

Shirkdog shirkdog at ...11827...
Thu Aug 27 18:53:12 EDT 2015


We would have to see a sanitized copy of your pulledpork.conf (take out
your oinkcode) and you need to make sure all of the referenced
files/directories in the config exist, and that permissions are not an
issue for the user running pulledpork.

The howto you referenced was for version 0.7.0, and although there were no
major changes til now, the latest blacklist has been tested with the
current version of Snort. So also check your versions of the tools.

Snort 2.9.7.5
Pulledpork 0.7.2
On Aug 27, 2015 5:16 PM, "ha dinhphu" <hadinhphu at ...11827...> wrote:

> well,
>
> I followed the instruction from here:
> http://sublimerobots.com/2014/12/installing-snort-part-5/ which is
> exactly the same as instruction posted on snort.org website. So I don't
> know where the issue is.
>
>
> On Thu, Aug 27, 2015 at 4:13 PM, Shirkdog <shirkdog at ...11827...> wrote:
>
>> I am not seeing this issue, with the correct permissions with the
>> latest code (about to release 0.7.2):
>>
>>
>>     https://github.com/shirkdog/pulledpork
>>       _____ ____
>>      `----,\    )
>>       `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!
>>        `--==\\/
>>      .-~~~~-.Y|\\_  Copyright (C) 2009-2015 JJ Cummings
>>   @_/        /  66\_  cummingsj at ...11827...
>>     |    \   \   _(")
>>      \   /-| ||'--'  Rules give me wings!
>>       \_\  \_\\
>>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Checking latest MD5 for snortrules-snapshot-2975.tar.gz....
>> Rules tarball download of snortrules-snapshot-2975.tar.gz....
>>         They Match
>>         Done!
>> Checking latest MD5 for community-rules.tar.gz....
>> Rules tarball download of community-rules.tar.gz....
>>         They Match
>>         Done!
>> IP Blacklist download of
>>
>> http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf..
>> ..
>> Reading IP List...
>> Checking latest MD5 for opensource.gz....
>> Rules tarball download of opensource.gz....
>>         They Match
>>         Done!
>> Prepping rules from opensource.gz for work....
>>         Done!
>> Prepping rules from community-rules.tar.gz for work....
>>         Done!
>> Prepping rules from snortrules-snapshot-2975.tar.gz for work....
>>         Done!
>> Reading rules...
>> Reading rules...
>> Writing Blacklist File
>> /usr/local/etc/snort/rules/iplists/default.blacklist....
>> Writing Blacklist Version 825308466 to
>> /usr/local/etc/snort/rules/iplistsIPRVersion.dat....
>> Setting Flowbit State....
>>         Enabled 16 flowbits
>>         Done
>> Writing /usr/local/etc/snort/rules/snort.rules....
>>         Done
>> Generating sid-msg.map....
>>         Done
>> Writing v1 /usr/local/etc/snort/sid-msg.map....
>>         Done
>> Writing /var/log/sid_changes.log....
>>         Done
>> Rule Stats...
>>         New:-------0
>>         Deleted:---0
>>         Enabled Rules:----8695
>>         Dropped Rules:----0
>>         Disabled Rules:---17344
>>         Total Rules:------26039
>> IP Blacklist Stats...
>>         Total IPs:-----6312
>>
>> Done
>> Please review /var/log/sid_changes.log for additional details
>> Fly Piggy Fly!
>>
>> ---
>> Michael Shirk
>>
>>
>> On Thu, Aug 27, 2015 at 1:26 PM, ha dinhphu <hadinhphu at ...11827...> wrote:
>> > It's been a while since I asked about this problem. Does anyone has
>> solution
>> > for it?
>> >
>> > On Fri, Aug 14, 2015 at 1:12 PM, ha dinhphu <hadinhphu at ...11827...>
>> wrote:
>> >>
>> >> Hi kitty,
>> >>
>> >> Yes my /tmp directory is available with rwx permission by all user. I
>> ran
>> >> the command as root, so i don't think that's the problem.
>> >> https://code.google.com/p/pulledpork/issues/detail?id=166 -- another
>> user
>> >> has the same problem.
>> >> http://sourceforge.net/p/snort/mailman/message/32913112/  --snort-user
>> >>
>> >> On Fri, Aug 14, 2015 at 1:04 PM, waldo kitty <wkitty42 at ...14940...>
>> >> wrote:
>> >>>
>> >>> On 08/14/2015 12:21 PM, ha dinhphu wrote:
>> >>> > IP Blacklist download of
>> >>> >
>> >>> >
>> http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf..
>> ..
>> >>> > Reading IP List...
>> >>> > Couldn't read /tmp/296.170136981772-black_list.rules - No such file
>> or
>> >>> > directory
>> >>>
>> >>> what linux are you using? does it have a working /tmp directory that
>> is
>> >>> writable
>> >>> by all users?
>> >>>
>> >>> both of your reports have been failures to read a file that should
>> have
>> >>> been
>> >>> downloaded into /tmp... these failures seem to point to /tmp not
>> existing
>> >>> or it
>> >>> is not writable by the user your pulledpork is running as...
>> >>>
>> >>> --
>> >>>   NOTE: No off-list assistance is given without prior approval.
>> >>>         *Please keep mailing list traffic on the list* unless
>> >>>         private contact is specifically requested and granted.
>> >>>
>> >>>
>> >>>
>> ------------------------------------------------------------------------------
>> >>> _______________________________________________
>> >>> Snort-users mailing list
>> >>> Snort-users at lists.sourceforge.net
>> >>> Go to this URL to change user options or unsubscribe:
>> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >>> Snort-users list archive:
>> >>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >>>
>> >>> Please visit http://blog.snort.org to stay current on all the latest
>> >>> Snort news!
>> >>
>> >>
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> > news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150827/76ecaf66/attachment.html>


More information about the Snort-users mailing list