Snort mailing list archives
Re: Snort IP blacklist issue
From: Shirkdog <shirkdog () gmail com>
Date: Thu, 27 Aug 2015 18:53:12 -0400
We would have to see a sanitized copy of your pulledpork.conf (take out your oinkcode) and you need to make sure all of the referenced files/directories in the config exist, and that permissions are not an issue for the user running pulledpork. The howto you referenced was for version 0.7.0, and although there were no major changes til now, the latest blacklist has been tested with the current version of Snort. So also check your versions of the tools. Snort 2.9.7.5 Pulledpork 0.7.2 On Aug 27, 2015 5:16 PM, "ha dinhphu" <hadinhphu () gmail com> wrote:
well, I followed the instruction from here: http://sublimerobots.com/2014/12/installing-snort-part-5/ which is exactly the same as instruction posted on snort.org website. So I don't know where the issue is. On Thu, Aug 27, 2015 at 4:13 PM, Shirkdog <shirkdog () gmail com> wrote:I am not seeing this issue, with the correct permissions with the latest code (about to release 0.7.2): https://github.com/shirkdog/pulledpork _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.2 - E.Coli in your water bottle! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2015 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checking latest MD5 for snortrules-snapshot-2975.tar.gz.... Rules tarball download of snortrules-snapshot-2975.tar.gz.... They Match Done! Checking latest MD5 for community-rules.tar.gz.... Rules tarball download of community-rules.tar.gz.... They Match Done! IP Blacklist download of http://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf.. .. Reading IP List... Checking latest MD5 for opensource.gz.... Rules tarball download of opensource.gz.... They Match Done! Prepping rules from opensource.gz for work.... Done! Prepping rules from community-rules.tar.gz for work.... Done! Prepping rules from snortrules-snapshot-2975.tar.gz for work.... Done! Reading rules... Reading rules... Writing Blacklist File /usr/local/etc/snort/rules/iplists/default.blacklist.... Writing Blacklist Version 825308466 to /usr/local/etc/snort/rules/iplistsIPRVersion.dat.... Setting Flowbit State.... Enabled 16 flowbits Done Writing /usr/local/etc/snort/rules/snort.rules.... Done Generating sid-msg.map.... Done Writing v1 /usr/local/etc/snort/sid-msg.map.... Done Writing /var/log/sid_changes.log.... Done Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----8695 Dropped Rules:----0 Disabled Rules:---17344 Total Rules:------26039 IP Blacklist Stats... Total IPs:-----6312 Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! --- Michael Shirk On Thu, Aug 27, 2015 at 1:26 PM, ha dinhphu <hadinhphu () gmail com> wrote:It's been a while since I asked about this problem. Does anyone hassolutionfor it? On Fri, Aug 14, 2015 at 1:12 PM, ha dinhphu <hadinhphu () gmail com>wrote:Hi kitty, Yes my /tmp directory is available with rwx permission by all user. Iranthe command as root, so i don't think that's the problem. https://code.google.com/p/pulledpork/issues/detail?id=166 -- anotheruserhas the same problem. http://sourceforge.net/p/snort/mailman/message/32913112/ --snort-user On Fri, Aug 14, 2015 at 1:04 PM, waldo kitty <wkitty42 () windstream net> wrote:On 08/14/2015 12:21 PM, ha dinhphu wrote:IP Blacklist download ofhttp://talosintel.com/files/additional_resources/ips_blacklist/ip-filter.blf.. ..Reading IP List... Couldn't read /tmp/296.170136981772-black_list.rules - No such fileordirectorywhat linux are you using? does it have a working /tmp directory thatiswritable by all users? both of your reports have been failures to read a file that shouldhavebeen downloaded into /tmp... these failures seem to point to /tmp notexistingor it is not writable by the user your pulledpork is running as... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted.------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort IP blacklist issue ha dinhphu (Aug 27)
- Re: Snort IP blacklist issue Shirkdog (Aug 27)
- Re: Snort IP blacklist issue ha dinhphu (Aug 27)
- Re: Snort IP blacklist issue Shirkdog (Aug 27)
- Re: Snort IP blacklist issue Dinh, Cuong (Sep 01)
- Re: Snort IP blacklist issue Joel Esler (jesler) (Sep 01)
- Re: Snort IP blacklist issue ha dinhphu (Aug 27)
- Re: Snort IP blacklist issue Shirkdog (Aug 27)