<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>I too have the same issue. I’m using the latest version of both Snort and Pulledpork. If anyone finds a solution, I’d love to take a look.</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<div><br>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">
<span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 127);">Thank you,</span></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">
<span style="color: rgb(0, 0, 127); font-family: Calibri, sans-serif; font-size: 10.5pt;"><br>
</span></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">
<span style="color: rgb(0, 0, 127); font-family: Calibri, sans-serif; font-size: 10.5pt;">Cuong Dinh</span></p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">
<br>
</p>
</div>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Shirkdog<br>
<span style="font-weight:bold">Date: </span>Thursday, August 27, 2015 at 4:53 PM<br>
<span style="font-weight:bold">To: </span>ha dinhphu<br>
<span style="font-weight:bold">Cc: </span>snort-users mailinglist<br>
<span style="font-weight:bold">Subject: </span>Re: [Snort-users] Snort IP blacklist issue<br>
</div>
<div><br>
</div>
<div>
<div>
<p dir="ltr">We would have to see a sanitized copy of your pulledpork.conf (take out your oinkcode) and you need to make sure all of the referenced files/directories in the config exist, and that permissions are not an issue for the user running pulledpork.</p>
<p dir="ltr">The howto you referenced was for version 0.7.0, and although there were no major changes til now, the latest blacklist has been tested with the current version of Snort. So also check your versions of the tools.</p>
<p dir="ltr">Snort 2.9.7.5<br>
Pulledpork 0.7.2</p>
<div class="gmail_quote">On Aug 27, 2015 5:16 PM, "ha dinhphu" <<a href="mailto:hadinhphu@...11827...">hadinhphu@...11827...</a>> wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>well,<br>
<br>
</div>
I followed the instruction from here: <a href="http://sublimerobots.com/2014/12/installing-snort-part-5/" target="_blank">
http://sublimerobots.com/2014/12/installing-snort-part-5/</a> which is exactly the same as instruction posted on
<a href="http://snort.org" target="_blank">snort.org</a> website. So I don't know where the issue is.<br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 27, 2015 at 4:13 PM, Shirkdog <span dir="ltr">
<<a href="mailto:shirkdog@...11827..." target="_blank">shirkdog@...11827...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am not seeing this issue, with the correct permissions with the<br>
latest code (about to release 0.7.2):<br>
<br>
<br>
    <a href="https://github.com/shirkdog/pulledpork" rel="noreferrer" target="_blank">
https://github.com/shirkdog/pulledpork</a><br>
      _____ ____<br>
     `----,\    )<br>
      `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!<br>
       `--==\\/<br>
     .-~~~~-.Y|\\_  Copyright (C) 2009-2015 JJ Cummings<br>
  @_/        /  66\_  <a href="mailto:cummingsj@...11827..." target="_blank">cummingsj@...11827...</a><br>
    |    \   \   _(")<br>
     \   /-| ||'--'  Rules give me wings!<br>
      \_\  \_\\<br>
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
<span><br>
Checking latest MD5 for snortrules-snapshot-2975.tar.gz....<br>
Rules tarball download of snortrules-snapshot-2975.tar.gz....<br>
        They Match<br>
        Done!<br>
Checking latest MD5 for community-rules.tar.gz....<br>
Rules tarball download of community-rules.tar.gz....<br>
        They Match<br>
        Done!<br>
</span><span>IP Blacklist download of<br>
<a href="http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf.." rel="noreferrer" target="_blank">http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf..</a>..<br>
Reading IP List...<br>
</span>Checking latest MD5 for opensource.gz....<br>
Rules tarball download of opensource.gz....<br>
        They Match<br>
        Done!<br>
Prepping rules from opensource.gz for work....<br>
        Done!<br>
Prepping rules from community-rules.tar.gz for work....<br>
        Done!<br>
Prepping rules from snortrules-snapshot-2975.tar.gz for work....<br>
        Done!<br>
Reading rules...<br>
Reading rules...<br>
Writing Blacklist File /usr/local/etc/snort/rules/iplists/default.blacklist....<br>
Writing Blacklist Version 825308466 to<br>
/usr/local/etc/snort/rules/iplistsIPRVersion.dat....<br>
Setting Flowbit State....<br>
        Enabled 16 flowbits<br>
        Done<br>
Writing /usr/local/etc/snort/rules/snort.rules....<br>
        Done<br>
Generating sid-msg.map....<br>
        Done<br>
Writing v1 /usr/local/etc/snort/sid-msg.map....<br>
        Done<br>
Writing /var/log/sid_changes.log....<br>
        Done<br>
Rule Stats...<br>
        New:-------0<br>
        Deleted:---0<br>
        Enabled Rules:----8695<br>
        Dropped Rules:----0<br>
        Disabled Rules:---17344<br>
        Total Rules:------26039<br>
IP Blacklist Stats...<br>
        Total IPs:-----6312<br>
<br>
Done<br>
Please review /var/log/sid_changes.log for additional details<br>
Fly Piggy Fly!<br>
<br>
---<br>
Michael Shirk<br>
<div>
<div><br>
<br>
On Thu, Aug 27, 2015 at 1:26 PM, ha dinhphu <<a href="mailto:hadinhphu@...11827..." target="_blank">hadinhphu@...11827...</a>> wrote:<br>
> It's been a while since I asked about this problem. Does anyone has solution<br>
> for it?<br>
><br>
> On Fri, Aug 14, 2015 at 1:12 PM, ha dinhphu <<a href="mailto:hadinhphu@...11827..." target="_blank">hadinhphu@...11827...</a>> wrote:<br>
>><br>
>> Hi kitty,<br>
>><br>
>> Yes my /tmp directory is available with rwx permission by all user. I ran<br>
>> the command as root, so i don't think that's the problem.<br>
>> <a href="https://code.google.com/p/pulledpork/issues/detail?id=166" rel="noreferrer" target="_blank">
https://code.google.com/p/pulledpork/issues/detail?id=166</a> -- another user<br>
>> has the same problem.<br>
>> <a href="http://sourceforge.net/p/snort/mailman/message/32913112/" rel="noreferrer" target="_blank">
http://sourceforge.net/p/snort/mailman/message/32913112/</a>  --snort-user<br>
>><br>
>> On Fri, Aug 14, 2015 at 1:04 PM, waldo kitty <<a href="mailto:wkitty42@...14940..." target="_blank">wkitty42@...14940...</a>><br>
>> wrote:<br>
>>><br>
>>> On 08/14/2015 12:21 PM, ha dinhphu wrote:<br>
>>> > IP Blacklist download of<br>
>>> ><br>
>>> > <a href="http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf.." rel="noreferrer" target="_blank">
http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf..</a>..<br>
>>> > Reading IP List...<br>
>>> > Couldn't read /tmp/296.170136981772-black_list.rules - No such file or<br>
>>> > directory<br>
>>><br>
>>> what linux are you using? does it have a working /tmp directory that is<br>
>>> writable<br>
>>> by all users?<br>
>>><br>
>>> both of your reports have been failures to read a file that should have<br>
>>> been<br>
>>> downloaded into /tmp... these failures seem to point to /tmp not existing<br>
>>> or it<br>
>>> is not writable by the user your pulledpork is running as...<br>
>>><br>
>>> --<br>
>>>   NOTE: No off-list assistance is given without prior approval.<br>
>>>         *Please keep mailing list traffic on the list* unless<br>
>>>         private contact is specifically requested and granted.<br>
>>><br>
>>><br>
>>> ------------------------------------------------------------------------------<br>
>>> _______________________________________________<br>
>>> Snort-users mailing list<br>
>>> <a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
>>> Go to this URL to change user options or unsubscribe:<br>
>>> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">
https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
>>> Snort-users list archive:<br>
>>> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
>>><br>
>>> Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">
http://blog.snort.org</a> to stay current on all the latest<br>
>>> Snort news!<br>
>><br>
>><br>
><br>
><br>
> ------------------------------------------------------------------------------<br>
><br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> <a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">
https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
> Snort-users list archive:<br>
> <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
><br>
> Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort<br>
> news!<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</span>
</body>
</html>