Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] Get Invalid Configuration in blacklist.rules when restart Snort
489 views
Skip to first unread message
Jutichai Thongkrachai
Oct 6, 2014, 1:38:30 AM10/6/14
to
Hello,
Before I have a problem, I installed pulledpork for getting the latest rule from snort.Oct 06 12:25:55 snort[25714]: Detection:
Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q
Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled
Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled
Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20
Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 1.122.106.236
Oct 06 12:25:55 snort[25709]: [33B blob data]
Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1
Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon.
2014-10-04 2:22 GMT+07:00 <snort-use...@lists.sourceforge.net>:
Send Snort-users mailing list submissions to
snort...@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-use...@lists.sourceforge.net
You can reach the person managing the list at
snort-us...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
When responding, please don't respond with the entire Digest. Please trim your response.
Today's Topics:
1. Measuring the delay introduced by Snort (Jiahua Yu)
2. FATAL error on the snort as" Snort[]: FATAL ERROR: Event6
type not yet supported!" (vinay kadagave)
3. Re: The DAQ version does not support reload (waldo kitty)
4. Re: Multiple Instances of SNORT (test engineer)
---------- จดหมายที่ถูกส่งต่อ ----------
From: Jiahua Yu <yjh...@gmail.com>
To: snort...@lists.sourceforge.net
Cc:
Date: Fri, 3 Oct 2014 11:18:30 -0400
Subject: [Snort-users] Measuring the delay introduced by SnortHi,I am recently using Performance Monitor to dump real-time statistics of snort.1. A field of 'uSeconds/Sec' is included with the 'max' option. Given the definition of 'max' as "theoretical maximum performance that Snort calculates". Does the 'uSeconds/Sec' refer to the shortest time each package would take? It's a calculation instead of real-time averaging of processed packets?2. Since I am looking to find real-time delay of packets introduced by Snort, is there any metric that I could use? I have tried a Packet Performance Monitor and count numbers beyond the threshold, but that makes me to count the delay events in log file.3. In perfmonitor, there are the metrics Drop Rate and Perentage of Packets Dropped, what's their difference and relationship? I found the previous thread http://seclists.org/snort/2010/q3/519 but it didn't come with much explanation.Thanks,Jiahua
---------- จดหมายที่ถูกส่งต่อ ----------
From: vinay kadagave <vinay_k...@yahoo.com>
To: "Snort...@lists.sourceforge.net" <Snort...@lists.sourceforge.net>
Cc:
Date: Fri, 3 Oct 2014 17:11:30 +0000 (UTC)
Subject: [Snort-users] FATAL error on the snort as" Snort[]: FATAL ERROR: Event6 type not yet supported!"Greetings,I am getting the FATAL error on the snort as" Snort[]: FATAL ERROR: Event6 type not yet supported!". Due to this error the snort is not generating any alert.I searched online but didnt get any information about this error. so anyone know about this ?Snort Details :OS: Ubantusnort version:,,_ -*> Snort! <*-o" )~ Version 2.9.6.0 GRE (Build 47)'''' Using libpcap version 1.1.1Using PCRE version: 8.34 2013-12-15Using ZLIB version: 1.2.8Running barnyard2.Thanks & Regards,vinay
---------- จดหมายที่ถูกส่งต่อ ----------
From: waldo kitty <wkit...@windstream.net>
To: snort...@lists.sourceforge.net
Cc:
Date: Fri, 03 Oct 2014 13:33:09 -0400
Subject: Re: [Snort-users] The DAQ version does not support reload
On 10/3/2014 9:57 AM, Deepak Yadav wrote:
Hi all,
I have manage to install Snort on win7, i have ONE eth on my PC, and that one.i
am getting below error:
Please suggest..!!!
the subject title and reported error is not your problem...
C:\Snort\bin>snort -i 1 -e c:snort\etcsnort.conf -A console -T
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: c:snort\etcsnort.conf -A console -T
the above line is your problem...
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "\Device\NPF_{037B06CB-66F4-4AA9-AB91-9141848D1EAD}".
ERROR: Can't set DAQ BPF filter to 'c:snort\etcsnort.conf -A console -T' (└$O)!
which is further confirmed by the above line...
the solution is to use the proper command line options and parameters in the correct order...
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
---------- จดหมายที่ถูกส่งต่อ ----------
From: test engineer <test...@gmail.com>
To: Robert Cotter <Robert...@emulex.com>
Cc: "snort...@lists.sourceforge.net" <snort...@lists.sourceforge.net>
Date: Fri, 3 Oct 2014 15:22:17 -0400
Subject: Re: [Snort-users] Multiple Instances of SNORTSuccessfully configured 8 - 2 tuple strings and spun up 8 Snort processes. CPU usage down to a minimum and no packet drops. Thanks for your help.On Fri, Oct 3, 2014 at 10:57 AM, test engineer <test...@gmail.com> wrote:Thank you for your suggestions on Hash Load Balancing. I contacted Endace support and received instructions and this document which describes the process : EDM04-31v5 Enhanced Packet Processing Guide v2On Thu, Oct 2, 2014 at 7:14 PM, Robert Cotter <Robert...@emulex.com> wrote:Reach out to the Endace support team for assistance on the setup for what your trying to achieve, the link to the support page is below, email or call them.
http://www.emulex.com/support/network-visibility-products/overview/
Bill is correct on his statement regarding the model type and we support several different methods for spreading the traffic, talk it through with the Endace support people.
If you have any problems talking to them contact me directly and I will see what I can do to assist you.
Regards
Robert Cotter
Sales Engineer APAC – Endace, a division of Emulex
From: Bill Bernsen [mailto:bill.b...@nyu.edu]
Sent: Friday, 3 October 2014 3:43 a.m.
To: Y M
Cc: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] Multiple Instances of SNORT
Which DAG are you using? The model determines the number of interfaces (and how) you can distribute your traffic. Admittedly, you'll probably only need 2. On a modern box, 250M is a pretty safe place for snort to be for each instance. You'll often start seeing problems when you push past 300M.
On Thu, Oct 2, 2014 at 10:32 AM, Y M <sn...@outlook.com> wrote:
Running multiple Snort instances without a method of packet distribution / load balancing will not achieve what you are after. Your best choice would be PF_RING.
YM
Sent from Mobile
From: test engineer
Sent: 10/2/2014 5:11 PM
To: snort...@lists.sourceforge.net
Subject: [Snort-users] Multiple Instances of SNORTGreetings
I'm new to the community and need some guidance. I have a Dell R720 with plenty of memory, CPUs and storage. I'm using an Emulex DAG NIC. Running minimal install of CentOS 6.5 with Snort 2.9. My CPU usage hits 80% with only 500M of traffic and Snort starts dropping packets. From what I've read, I can spin up more instances of Snort on the same interface and perhaps specify different CPUs for each process.
I start Snort as a daemon via command line for now using:
/usr/sbin/snort -G 1 -A fast -U -b -d -D -i dag0:0 -e -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
I tried spinning up another process with -G 2 but no new processes start when checking ps -ef | grep snort.
Any direction is greatly appreciated.
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
--Bill Bernsen Network Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users
Jutichai Thongkrachai
Oct 6, 2014, 9:18:26 AM10/6/14
to
To Joel,
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules
# site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules
On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsec...@gmail.com> wrote:but in the blacklist.rules, there are just ip address per line onlyAfter that I restart snort but get this error:Hello,Before I have a problem, I installed pulledpork for getting the latest rule from snort.
Oct 06 12:25:55 snort[25714]: Detection:
Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q
Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled
Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled
Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20
Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 1.122.106.236
Oct 06 12:25:55 snort[25709]: [33B blob data]
Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1
Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon.
<trim digest>Looks like you aren’t loading the blacklist as a blacklist inside the preprocessor. It appears Snort is trying to load the Blacklist as a configuration option or something.Can you attach your snort.conf?--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
Stephen Gantz
Oct 6, 2014, 10:21:27 AM10/6/14
to
Don't confuse blacklist.rules (one of the VRT rules files) with the blacklist of IP addresses referenced in your reputation preprocessor. It looks like you may have edited blacklist.rules instead of the black_list.rules file referenced by default by the preprocessor in snort.conf. Bear in mind that black_list.rules does not exist when you install Snort - your have to create it (and the white_list.rules file too if you are using a whitelist). I tell my students to choose a different name for the blacklist file (the one with the IP addresses) to try to avoid exactly this confusion.
Dr. Stephen D. Gantz
Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
<trim digest>On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsec...@gmail.com> wrote:but in the blacklist.rules, there are just ip address per line onlyAfter that I restart snort but get this error:Hello,Before I have a problem, I installed pulledpork for getting the latest rule from snort.
Oct 06 12:25:55 snort[25714]: Detection:
Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q
Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled
Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled
Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20
Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 1.122.106.236
Oct 06 12:25:55 snort[25709]: [33B blob data]
Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1
Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon.Looks like you aren’t loading the blacklist as a blacklist inside the preprocessor. It appears Snort is trying to load the Blacklist as a configuration option or something.Can you attach your snort.conf?--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
------------------------------------------------------------------------------
Slashdot TV. Videos for Nerds. Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
Jutichai Thongkrachai
Oct 7, 2014, 11:23:40 PM10/7/14
to
To Dr. Stephen,
I corrected my pulledpork.pl and try to run this script again including restart snort again. There is no invalid configuration again.2014-10-06 21:27 GMT+07:00 <snort-use...@lists.sourceforge.net>:
Send Snort-users mailing list submissions to
snort...@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-use...@lists.sourceforge.net
You can reach the person managing the list at
snort-us...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
When responding, please don't respond with the entire Digest. Please trim your response.
Today's Topics:
1. Re: 93.184.215.200 black listed IP address (Joel Esler (jesler))
2. Re: Get Invalid Configuration in blacklist.rules when restart
Snort (Joel Esler (jesler))
---------- จดหมายที่ถูกส่งต่อ ----------
From: "Joel Esler (jesler)" <jes...@cisco.com>
To: Ceejay Cervantes <ceejay.c...@gmail.com>
Cc: "snort...@lists.sourceforge.net" <snort...@lists.sourceforge.net>
Date: Mon, 6 Oct 2014 14:22:24 +0000
Subject: Re: [Snort-users] 93.184.215.200 black listed IP addressWe have it listed as an “Attacker” from an outside source. It’s a private IP out registered through RIPE’s server. Allegedly registered to a private address in Santa Monica, CA.Don’t think that’s Microsoft.
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
On Oct 6, 2014, at 10:07 AM, Ceejay Cervantes <ceejay.c...@gmail.com> wrote:Hello,Good day.Any idea on why the 93.184.215.200 IP address was included on the black_list.rules? It seems to be a false positive.Am seeing microsoft.com domains on tcpdump.regards,Ceejay
------------------------------------------------------------------------------
Slashdot TV. Videos for Nerds. Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
---------- จดหมายที่ถูกส่งต่อ ----------
From: "Joel Esler (jesler)" <jes...@cisco.com>
To: Stephen Gantz <stephe...@faculty.umuc.edu>
Cc: Jutichai Thongkrachai <thsec...@gmail.com>, "snort...@lists.sourceforge.net" <snort...@lists.sourceforge.net>
Date: Mon, 6 Oct 2014 14:26:55 +0000
Subject: Re: [Snort-users] Get Invalid Configuration in blacklist.rules when restart SnortGood call Stephen…I’m sure I have the power to fix this issue…J
0 new messages