<div dir="ltr"><div>I just went through the Manual on the Reputation Preprocessor area and still having the same issues.  I created a text file called white.list.   On the snort.conf file in line 113 I have the variable listed correctly and verified it is called upon in line 511.  I am running snort on windows any idea on why the IP is still in the alerts? </div><div><br></div><div>File name is white.list  (location c:\Snort\Rules\)</div><div>Line 113 var WHITE_LIST_PATH c:\Snort\Rules</div><div>Line 511 $WHITE_LIST_PATH\white.list, \</div><div><br></div><div><br></div><div>In the white.list I have the ip set up as.</div><div><a href="http://192.168.70.5/32">192.168.70.5/32</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 1, 2016 at 2:36 PM, Joel Esler (jesler) <span dir="ltr"><<a href="mailto:jesler@...979...589..." target="_blank">jesler@...589...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="-ms-word-wrap: break-word;">
Also <a href="http://www.snort.org/faq" target="_blank">http://www.snort.org/faq</a>
<div><br>
</div>
<div>I’ve been adding documents in here more frequently lately, and would love to add more.</div>
<div><span><br>
<div>
<div style="color:rgb(0,0,0);text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal">
<div style="color:rgb(0,0,0);text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal">
<div style="color:rgb(0,0,0);text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal">
<div><b style="font-family:Calibri,sans-serif;font-size:10px"><font color="#5e5e5e">--</font></b></div>
<div style="font-size:14px"><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#5e5e5e">Joel Esler </font></b><span style="font-family:Calibri,sans-serif;font-size:12px">| </span><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#0096ff">Talos:</font></b><span style="font-family:Calibri,sans-serif;font-size:12px"> M</span><font color="#424242" style="font-family:Calibri,sans-serif;font-size:12px">anager
 | <a href="mailto:jesler@...589..." target="_blank">jesler@...16686......</a></font></div>
<div><font color="#424242" style="font-family:Calibri,sans-serif;font-size:10px"><br>
</font></div>
</div>
<br class="m_3943651893774462843Apple-interchange-newline">
</div>
<br class="m_3943651893774462843Apple-interchange-newline">
</div>
<br class="m_3943651893774462843Apple-interchange-newline">
<br class="m_3943651893774462843Apple-interchange-newline">
</div>
<br>
</span><div><div class="h5"><div>
<blockquote type="cite">
<div>On Dec 1, 2016, at 3:35 PM, Luke Ager <<a href="mailto:luke.ager@...14399..." target="_blank">luke.ager@...14399...</a>> wrote:</div>
<br class="m_3943651893774462843Apple-interchange-newline">
<div>
<div dir="auto">
<div>Agree with the snort manual posts. </div>
<div>The art of network security monitoring is also worth a read. <br>
<br>
Sent from my iPhone</div>
<div><br>
On 1 Dec 2016, at 20:32, Joel Esler (jesler) <<a href="mailto:jesler@...843.....589..." target="_blank">jesler@...589...</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>Albert is right.
<div><br>
</div>
<div>Also, <a href="http://manual.snort.org/" target="_blank">manual.snort.org</a> is a bit easier to remember.</div>
<div><br>
<div>
<div style="text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal">
<div style="text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal">
<div style="text-transform:none;text-indent:0px;letter-spacing:normal;word-spacing:0px;white-space:normal">
<div><b style="font-family:Calibri,sans-serif;font-size:10px"><font color="#5e5e5e">--</font></b></div>
<div style="font-size:14px"><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#5e5e5e">Joel Esler </font></b><span style="font-family:Calibri,sans-serif;font-size:12px">| </span><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#0096ff">Talos:</font></b><span style="font-family:Calibri,sans-serif;font-size:12px"> M</span><font color="#424242" style="font-family:Calibri,sans-serif;font-size:12px">anager
 | <a href="mailto:jesler@...589..." target="_blank">jesler@...16686......</a></font></div>
<div><font color="#424242" style="font-family:Calibri,sans-serif;font-size:10px"><br>
</font></div>
</div>
<br class="m_3943651893774462843Apple-interchange-newline">
</div>
<br class="m_3943651893774462843Apple-interchange-newline">
</div>
<br class="m_3943651893774462843Apple-interchange-newline">
<br class="m_3943651893774462843Apple-interchange-newline">
</div>
<br>
<div>
<blockquote type="cite">
<div>On Dec 1, 2016, at 2:00 PM, Al Lewis (allewi) <<a href="mailto:allewi@...589..." target="_blank">allewi@...589...</a>> wrote:</div>
<br class="m_3943651893774462843Apple-interchange-newline">
<div>
<div style="font-family:Courier,sans-serif;font-size:14px">
<div>
<div>Hello Justin,</div>
<div><br>
</div>
<div><span class="m_3943651893774462843Apple-tab-span" style="white-space:pre-wrap"></span>The best “book” would be the snort manual in my opinion. This will give you the most information that is updated and maintained by the developers. </div>
<div><br>
</div>
<div>If you go through a section of the manual (and don’t understand it) please feel free to post whatever question no matter how big or small. </div>
<div><br>
</div>
<div>We will be glad to help you out and get you pointed in the right direction.</div>
<div><br>
</div>
<div>The snort manual can be found in the snort download (in the doc directory) from
<a href="http://www.snort.org/" target="_blank">www.snort.org</a> and also online here: <a href="http://manual-snort-org.s3-website-us-east-1.amazonaws.com/" target="_blank">http://manual-snort-org.<wbr>s3-website-us-east-1.<wbr>amazonaws.com/</a></div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div>
<div id="m_3943651893774462843MAC_OUTLOOK_SIGNATURE">
<div>
<div style="margin:0in 0in 0pt;font-family:-webkit-standard;font-size:11pt">
<b><span style="color:rgb(31,73,125);font-size:12pt"><font face="Courier">Albert Lewis<u></u><u></u></font></span></b></div>
<div style="margin:0in 0in 0pt;font-family:-webkit-standard;font-size:11pt">
<font color="#7f7f7f">ENGINEER.SOFTWARE ENGINEERING</font></div>
<div style="margin:0in 0in 0pt;font-family:-webkit-standard;font-size:11pt">
<font face="Courier"><span style="color:rgb(153,153,153);font-size:12pt">SOURCE</span><b><span style="color:red;font-size:12pt">fire</span></b><span style="color:rgb(153,153,153);font-size:12pt">,
 Inc. </span><span style="color:rgb(136,136,136);font-size:12pt">now part of </span><b><span style="font-size:12pt"><font color="#00007f">Cisco</font></span></b></font></div>
<div style="margin:0in 0in 0pt;font-family:-webkit-standard;font-size:11pt">
<font face="Courier"><span style="color:rgb(153,153,153);font-size:12pt">Email: </span><span style="font-size:12pt"><a style="color:purple" href="mailto:allewi@...589..." target="_blank">allewi@...589...</a><span style="color:rgb(79,129,189)"> </span></span></font></div>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="m_3943651893774462843OLK_SRC_BODY_SECTION">
<div style="border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in;text-align:left;font-family:Calibri;font-size:12pt;border-top-color:rgb(181,196,223)">
<span style="font-weight:bold">From: </span>Justin Pederson <<a href="mailto:jpedersm@...11827..." target="_blank">jpedersm@...11827...</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, December 1, 2016 at 1:23 PM<br>
<span style="font-weight:bold">To: </span>'snort-users' <<a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@...8192...<wbr>sourceforge.net</a>><br>
<span style="font-weight:bold">Subject: </span>[Snort-users] Any Good Books out there?<br>
</div>
<div><br>
</div>
<span>
<div>
<div>
<div dir="ltr">I'm just getting into snort.  While there is allot of information out there on snort, allot of it is not strait forward.  If I am looking for a book to get up to speed on they system.  By chance does anyone know of any good books to
 read? </div>
</div>
</div>
</span></span></div>
------------------------------<wbr>------------------------------<wbr>------------------<br>
______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@...3783...<wbr>net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/<wbr>mailarchive/forum.php?forum_<wbr>name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org/" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>------------------------------<wbr>------------------------------<wbr>------------------</span><br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>______________________________<wbr>_________________</span><br>
<span>Snort-users mailing list</span><br>
<span><a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@...3783...<wbr>net</a></span><br>
<span>Go to this URL to change user options or unsubscribe:</span><br>
<span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a></span><br>
<span>Snort-users list archive:</span><br>
<span><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/<wbr>mailarchive/forum.php?forum_<wbr>name=snort-users</a></span><br>
<span></span><br>
<span>Please visit <a href="http://blog.snort.org/" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</span></div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br>
</div></div></div>
</div>

<br>------------------------------<wbr>------------------------------<wbr>------------------<br>
<br>______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...3783...<wbr>net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank" rel="noreferrer">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank" rel="noreferrer">http://sourceforge.net/<wbr>mailarchive/forum.php?forum_<wbr>name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank" rel="noreferrer">http://blog.snort.org</a> to stay current on all the latest Snort news!<br></blockquote></div><br></div>