Snort mailing list archives
Get Invalid Configuration in blacklist.rules when restart Snort
From: Jutichai Thongkrachai <thsecmaniac () gmail com>
Date: Mon, 6 Oct 2014 12:38:30 +0700
Hello, Before I have a problem, I installed pulledpork for getting the latest rule from snort. After that I restart snort but get this error: Oct 06 12:25:55 snort[25714]: Detection: Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20 Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 1.122.106.236 Oct 06 12:25:55 snort[25709]: [33B blob data] Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1 Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon. but in the blacklist.rules, there are just ip address per line only 2014-10-04 2:22 GMT+07:00 <snort-users-request () lists sourceforge net>:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Measuring the delay introduced by Snort (Jiahua Yu) 2. FATAL error on the snort as" Snort[]: FATAL ERROR: Event6 type not yet supported!" (vinay kadagave) 3. Re: The DAQ version does not support reload (waldo kitty) 4. Re: Multiple Instances of SNORT (test engineer) ---------- จดหมายที่ถูกส่งต่อ ---------- From: Jiahua Yu <yjh3207 () gmail com> To: snort-users () lists sourceforge net Cc: Date: Fri, 3 Oct 2014 11:18:30 -0400 Subject: [Snort-users] Measuring the delay introduced by Snort Hi, I am recently using Performance Monitor to dump real-time statistics of snort. 1. A field of 'uSeconds/Sec' is included with the 'max' option. Given the definition of 'max' as "theoretical maximum performance that Snort calculates". Does the 'uSeconds/Sec' refer to the shortest time each package would take? It's a calculation instead of real-time averaging of processed packets? 2. Since I am looking to find real-time delay of packets introduced by Snort, is there any metric that I could use? I have tried a Packet Performance Monitor and count numbers beyond the threshold, but that makes me to count the delay events in log file. 3. In perfmonitor, there are the metrics *Drop Rate *and *Perentage of Packets Dropped*, what's their difference and relationship? I found the previous thread http://seclists.org/snort/2010/q3/519 but it didn't come with much explanation. Thanks, Jiahua ---------- จดหมายที่ถูกส่งต่อ ---------- From: vinay kadagave <vinay_kadagave () yahoo com> To: "Snort-users () lists sourceforge net" <Snort-users () lists sourceforge netCc: Date: Fri, 3 Oct 2014 17:11:30 +0000 (UTC) Subject: [Snort-users] FATAL error on the snort as" Snort[]: FATAL ERROR: Event6 type not yet supported!" Greetings, I am getting the FATAL error on the snort as" *Snort[]: FATAL ERROR: Event6 type not yet supported!*". Due to this error the snort is not generating any alert. I searched online but didnt get any information about this error. so anyone know about this ? Snort Details : OS: Ubantu snort version: ,,_ -*> Snort! <*- o" )~ Version 2.9.6.0 GRE (Build 47) '''' Using libpcap version 1.1.1 Using PCRE version: 8.34 2013-12-15 Using ZLIB version: 1.2.8 Running barnyard2. Thanks & Regards, vinay ---------- จดหมายที่ถูกส่งต่อ ---------- From: waldo kitty <wkitty42 () windstream net> To: snort-users () lists sourceforge net Cc: Date: Fri, 03 Oct 2014 13:33:09 -0400 Subject: Re: [Snort-users] The DAQ version does not support reload On 10/3/2014 9:57 AM, Deepak Yadav wrote:Hi all, I have manage to install Snort on win7, i have ONE eth on my PC, and that one.i am getting below error: Please suggest..!!!the subject title and reported error is not your problem... C:\Snort\bin>snort -i 1 -e c:snort\etcsnort.conf -A console -TRunning in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! Snort BPF option: c:snort\etcsnort.conf -A console -Tthe above line is your problem... pcap DAQ configured to passive.The DAQ version does not support reload. Acquiring network traffic from "\Device\NPF_{037B06CB-66F4- 4AA9-AB91-9141848D1EAD}". ERROR: Can't set DAQ BPF filter to 'c:snort\etcsnort.conf -A console -T' (└$O)!which is further confirmed by the above line... the solution is to use the proper command line options and parameters in the correct order... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ---------- จดหมายที่ถูกส่งต่อ ---------- From: test engineer <test12524 () gmail com> To: Robert Cotter <Robert.Cotter () emulex com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netDate: Fri, 3 Oct 2014 15:22:17 -0400 Subject: Re: [Snort-users] Multiple Instances of SNORT Successfully configured 8 - 2 tuple strings and spun up 8 Snort processes. CPU usage down to a minimum and no packet drops. Thanks for your help. On Fri, Oct 3, 2014 at 10:57 AM, test engineer <test12524 () gmail com> wrote:Thank you for your suggestions on Hash Load Balancing. I contacted Endace support and received instructions and this document which describes the process : *EDM04-31v5 Enhanced Packet Processing Guide v2 * On Thu, Oct 2, 2014 at 7:14 PM, Robert Cotter <Robert.Cotter () emulex com> wrote:Reach out to the Endace support team for assistance on the setup for what your trying to achieve, the link to the support page is below, email or call them. http://www.emulex.com/support/network-visibility-products/overview/ Bill is correct on his statement regarding the model type and we support several different methods for spreading the traffic, talk it through with the Endace support people. If you have any problems talking to them contact me directly and I will see what I can do to assist you. Regards *Robert Cotter* *Sales Engineer APAC – Endace, a division of Emulex* *From:* Bill Bernsen [mailto:bill.bernsen () nyu edu <bill.bernsen () nyu edu>] *Sent:* Friday, 3 October 2014 3:43 a.m. *To:* Y M *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Multiple Instances of SNORT Which DAG are you using? The model determines the number of interfaces (and how) you can distribute your traffic. Admittedly, you'll probably only need 2. On a modern box, 250M is a pretty safe place for snort to be for each instance. You'll often start seeing problems when you push past 300M. On Thu, Oct 2, 2014 at 10:32 AM, Y M <snort () outlook com> wrote: Running multiple Snort instances without a method of packet distribution / load balancing will not achieve what you are after. Your best choice would be PF_RING. YM Sent from Mobile ------------------------------ *From: *test engineer <test12524 () gmail com> *Sent: *10/2/2014 5:11 PM *To: *snort-users () lists sourceforge net *Subject: *[Snort-users] Multiple Instances of SNORT Greetings I'm new to the community and need some guidance. I have a Dell R720 with plenty of memory, CPUs and storage. I'm using an Emulex DAG NIC. Running minimal install of CentOS 6.5 with Snort 2.9. My CPU usage hits 80% with only 500M of traffic and Snort starts dropping packets. From what I've read, I can spin up more instances of Snort on the same interface and perhaps specify different CPUs for each process. I start Snort as a daemon via command line for now using: /usr/sbin/snort -G 1 -A fast -U -b -d -D -i dag0:0 -e -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort I tried spinning up another process with -G 2 but no new processes start when checking ps -ef | grep snort. Any direction is greatly appreciated. ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users
------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 05)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Stephen Gantz (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Stephen Gantz (Oct 06)
- <Possible follow-ups>
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 06)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Jutichai Thongkrachai (Oct 07)
- Re: Get Invalid Configuration in blacklist.rules when restart Snort Joel Esler (jesler) (Oct 06)