Re: Get Invalid Configuration in blacklist.rules when restart Snort

[Jutichai Thongkrachai <thsecmaniac () gmail com>]

To Joel,

Here you are:


























*# Path to your rules files (this can be a relative path)# Note for Windows
users:  You are advised to make this an absolute path,# such as:
c:\snort\rulesvar RULE_PATH /etc/snort/rulesvar SO_RULE_PATH
/etc/snort/so_rulesvar PREPROC_RULE_PATH /etc/snort/preproc_rules# If you
are using reputation preprocessor set thesevar WHITE_LIST_PATH
/etc/snort/rulesvar BLACK_LIST_PATH /etc/snort/rules# Reputation
preprocessor. For more information see README.reputationpreprocessor
reputation: \   memcap 500, \   priority whitelist, \   nested_ip inner,
\   whitelist $WHITE_LIST_PATH/white_list.rules, \   blacklist
$BLACK_LIST_PATH/black_list.rules # site specific rulesinclude
$RULE_PATH/local.rulesinclude $RULE_PATH/app-detect.rulesinclude
$RULE_PATH/attack-responses.rulesinclude $RULE_PATH/backdoor.rulesinclude
$RULE_PATH/bad-traffic.rulesinclude $RULE_PATH/blacklist.rules*



2014-10-06 19:56 GMT+07:00 Joel Esler (jesler) <jesler () cisco com>:

> On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsecmaniac () gmail com>
> wrote:
>
> Hello,
>
> Before I have a problem, I installed pulledpork for getting the latest
> rule from snort.
>
> After that I restart snort but get this error:
>
> Oct 06 12:25:55 snort[25714]: Detection:
> Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q
> Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled
> Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled
> Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20
> Oct 06 12:25:55 snort[25714]: FATAL ERROR:
> /etc/snort/rules/blacklist.rules(1) Invalid configuration line:
> 1.122.106.236
> Oct 06 12:25:55 snort[25709]: [33B blob data]
> Oct 06 12:25:55 systemd[1]: snort.service: control process exited,
> code=exited status=1
> Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT
> Intrusion Detection System daemon.
>
>
> but in the blacklist.rules, there are just ip address per line only
>
>
> <trim digest>
>
> Looks like you aren’t loading the blacklist as a blacklist inside the
> preprocessor.  It appears Snort is trying to load the Blacklist as a
> configuration option or something.
>
> Can you attach your snort.conf?
>
>
> --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!