<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>I'll fix this when we push the new version of pulledpork. <br><br><div>--</div><div><b>Joel Esler</b></div>Sent from my iPhone <span style="background-color: rgba(255, 255, 255, 0);"></span></div><div><br>On Apr 10, 2013, at 7:33 AM, waldo kitty <<a href="mailto:wkitty42@...14940...">wkitty42@...14940...</a>> wrote:<br><br></div><blockquote type="cite"><div><span>On 4/10/2013 06:49, Hannibal S. Jackson wrote:</span><br><blockquote type="cite"><span>Thanks, I figured it out. I appreciate everyone's help. The error wasn't the</span><br></blockquote><blockquote type="cite"><span>black_list.rules file, it was actually in the snort.conf. In Step 5, where I</span><br></blockquote><blockquote type="cite"><span>enabled the reputation preprocessor, I also uncommented the include line in Step</span><br></blockquote><blockquote type="cite"><span>7. Once I commented out the include line in Step 7, it worked. Didn't know that</span><br></blockquote><blockquote type="cite"><span>having both uncommented would cause an issue. Although the error kept pointing</span><br></blockquote><blockquote type="cite"><span>to the black_list.rules it was actually the snort.conf. Thanks again for all of</span><br></blockquote><blockquote type="cite"><span>the help.</span><br></blockquote><span></span><br><span>ahhh! that means that someone has the file(s) named incorrectly... the VRT rules </span><br><span>set comes with a file names blacklist.rules... this is /not/ the same as </span><br><span>default.blacklist as used in the reputation processor examples... if one were to </span><br><span>use their own filenames, i would go with black.list for the reputation </span><br><span>preprocessor... in this way, you know without having to look too far that this </span><br><span>is a list whereas the *.rules files are... well... rules ;)</span><br><span></span><br><span>i note also that the location of the default.blacklist and default.whitelist is </span><br><span>different than the *.rules files in most of the examples... the rules are in </span><br><span>some/where/rules whereas other config related files are found elsewhere... maybe </span><br><span>in /etc/snort or even /etc directly...</span><br><span></span><br><span>which reminds me... i need to get a copy of the latest sample snort.conf from </span><br><span>VRT and update the one i've been using for my snorts... ugh, what a nasty job </span><br><span>that is going to be :/</span><br><span></span><br><blockquote type="cite"><span>--------------------------------------------------------------------------------</span><br></blockquote><blockquote type="cite"><span>*From:* waldo kitty <<a href="mailto:wkitty42@...14511...940...">wkitty42@...14940...</a>></span><br></blockquote><blockquote type="cite"><span>*To:* <a href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a></span><br></blockquote><blockquote type="cite"><span>*Sent:* Tuesday, April 9, 2013 8:15 PM</span><br></blockquote><blockquote type="cite"><span>*Subject:* Re: [Snort-users] Assistance with Blacklist</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>On 4/9/2013 15:57, Hannibal S. Jackson wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>I didn't try to verify yet b/c I can't get snort to run properly, it exists when</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>it's starting up because it's having an issue with that line in the</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>black_list.rules file. If I comment that white and black lists out in the</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>snort.conf, snort starts just fine.</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>please provide...</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>1. the error message from the log file</span><br></blockquote><blockquote type="cite"><span>2. the contents of your blacklist file</span><br></blockquote><blockquote type="cite"><span>3. the reputation processor lines from your snort.conf file</span><br></blockquote><blockquote type="cite"><span>4. the results of "snort -V" without the quotes</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>i think that will handle it...</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>--------------------------------------------------------------------------------</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>*From:* waldo kitty <<a href="mailto:wkitty42@...14940...">wkitty42@...14940...</a> <<a href="mailto:wkitty42@...14940...">mailto:wkitty42@...14940...</a>>></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>*To:* Hannibal S. Jackson <<a href="mailto:hannibaljackson@...131...">hannibaljackson@...131...</a></span><br></blockquote></blockquote><blockquote type="cite"><span><<a href="mailto:hannibaljackson@...131...">mailto:hannibaljackson@...131...</a>>>;</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>"<a href="mailto:snort-users@lists.sourceforge.net">snort-users@...4137...orge.net</a></span><br></blockquote></blockquote><blockquote type="cite"><span><<a href="mailto:snort-users@lists.sourceforge.net">mailto:snort-users@lists.sourceforge.net</a>>" <<a href="mailto:snort-users@...3204...ts.sourceforge.net">snort-users@lists.sourceforge.net</a></span><br></blockquote><blockquote type="cite"><span><<a href="mailto:snort-users@...3204...ts.sourceforge.net">mailto:snort-users@lists.sourceforge.net</a>>></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>*Sent:* Tuesday, April 9, 2013 2:31 PM</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>*Subject:* Re: [Snort-users] Assistance with Blacklist</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>On 4/9/2013 12:59, Hannibal S. Jackson wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>So you have to use a CIDR notation?</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>i don't know... your post used an invalid CIDR notation so i took an eWAG and</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>figured that you were wanting to block the entire network that that IP belongs</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>to... a quick lookup showed that it belongs to facebook so i continued with the</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>eWAG and guessed that the entire network was what you were wanting to block...</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>you can't start a CIDR entry in the middle of the netblock, TTBOMK... you have</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>to list it with the network's address... 31.13.64.0 in this case...</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>It's for a class and he just wanted to see</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>if we could get it working. Obviously facebook has a bunch of IP's; however, I</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>tried to put just the IP in the file without the CIDR mask and it didn't work.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>what didn't work? accessing that IP? how did you try to verify it? did you try</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>going to facebook and you were successful? this may be problematic because the</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>browser may have had the page cached and pulled it from there OR the DNS may</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>have given you another IP for facebook...</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>The examples I found online showed some with it and some without it. I tired /0</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>/8 /16 and then gave up. Thanks, I'll try that when I get back to my machine.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>start here -> <a href="http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf">http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf</a></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>section 2.2.19 Reputation Processor (pg. 118) then croll down to the bottom of</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>page 119 and the top of page 120 for working examples... the default.whitelist</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>example does show plain IPs without any type of mask...</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>barring that, i've offered what i know and dug up from the docs ;)</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><span>--------------------------------------------------------------------------------</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>*From:* waldo kitty <<a href="mailto:wkitty42@...14940...">wkitty42@...14940...</a></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><span><<a href="mailto:wkitty42@...14940...">mailto:wkitty42@...14940...</a>> <<a href="mailto:wkitty42@...14940...">mailto:wkitty42@...14940...</a></span><br></blockquote><blockquote type="cite"><span><<a href="mailto:wkitty42@...14940...">mailto:wkitty42@...14940...</a>>>></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>*To:* <a href="mailto:snort-users@...3054...forge.net">snort-users@lists.sourceforge.net</a></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><span><<a href="mailto:snort-users@lists.sourceforge.net">mailto:snort-users@...973...et</a>></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span><<a href="mailto:snort-users@lists.sourceforge.net">mailto:snort-users@lists.sourceforge.net</a></span><br></blockquote></blockquote><blockquote type="cite"><span><<a href="mailto:snort-users@...1753...s.sourceforge.net">mailto:snort-users@lists.sourceforge.net</a>>></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>*Sent:* Tuesday, April 9, 2013 12:44 PM</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>*Subject:* Re: [Snort-users] Assistance with Blacklist</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>On 4/9/2013 10:30, Hannibal S. Jackson wrote:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>I'm getting ERROR: c:\snort\rules\black_list.rules (4) Invalid configuration</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>line: 31.13.69.160</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>The only thing I have in my black_list.rules file is this:</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span># This is my black_list.rules file for <a href="http://www.facebook.com">www.facebook.com</a></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span><<a href="http://www.facebook.com/">http://www.facebook.com/</a>></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span><<a href="http://www.facebook.com/">http://www.facebook.com/</a>></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>31.13.69.160/0</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>this is not a valid network address or CIDR mask... the address is a</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>workstation/server address, though... you need to use a proper network address</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>and CIDR mask...</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>in this case, the facebook network range is 31.13.64.0 - 31.13.127.255 so the</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>proper mask would be 31.13.64.0/18</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>IP Address : 31.13.64.0</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Address Class : Classless /18</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Network Address : 31.13.64.0</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Subnet Address : 31.13.64.0</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Subnet Mask : 255.255.192.0</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Subnet bit mask : nnnnnnnn.nnnnnnnn.nnhhhhhh.hhhhhhhh</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Subnet Bits : 18</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Host Bits : 14</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Number of Subnets : 1</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Hosts per Subnet : 16382</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Subnet : 31.13.64.0</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Mask : 255.255.192.0</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Subnet Size : 16382 Hosts</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Host Range : 31.13.64.1 to 31.13.127.254</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Broadcast : 31.13.127.255</span><br></blockquote></blockquote></blockquote><span></span><br><span></span><br><span></span><br><span></span><br><span>------------------------------------------------------------------------------</span><br><span>Precog is a next-generation analytics platform capable of advanced</span><br><span>analytics on semi-structured data. The platform includes APIs for building</span><br><span>apps and a phenomenal toolset for data science. Developers can use</span><br><span>our toolset for easy data analysis & visualization. Get a free account!</span><br><span><a href="http://www2.precog.com/precogplatform/slashdotnewsletter">http://www2.precog.com/precogplatform/slashdotnewsletter</a></span><br><span>_______________________________________________</span><br><span>Snort-users mailing list</span><br><span><a href="mailto:Snort-users@...974...rceforge.net">Snort-users@lists.sourceforge.net</a></span><br><span>Go to this URL to change user options or unsubscribe:</span><br><span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a></span><br><span>Snort-users list archive:</span><br><span><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a></span><br><span></span><br><span>Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</span><br></div></blockquote></body></html>