Good Morning,
I'm having some difficulties getting the ip reputation piece up and working the way that I want it. Can someone please correct me where I am wrong?
PulledPork 0.7.0
Snort 2.9.5.5
PulledPork configuration:
rule_url=
http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|openblack_list=/etc/snort/rules/black_list-p2p1.rules
IPRVersion=/etc/snort/rules/
Snort configuration:
var WHITE_LIST_PATH rules
var BLACK_LIST_PATH rules
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
# whitelist $WHITE_LIST_PATH/white_list-p2p1.rules, \
blacklist $BLACK_LIST_PATH/black_list-p2p1.rules
I have a cron script that downloads the ip list every night at a predetermined time:
wget -v
http://labs.snort.org/feeds/ip-filter.blf -O /opt/pulledpork/tmp/sigs/IPBLACKLIST
The machine has multiple interfaces, so I only want to download the file once and then process from that downloaded copy for all interfaces. Pulled pork is run with the '-P' so that rules are processed even though they weren't downloaded and '-n' "do everything other than download of new files (disablesid, etc).
So, the steps would be:
1) download file and place it in /opt/pulledpork/tmp/sigs/IPBLACKLIST
2) run pulledpork and process the rules / ip lists.
3) PP then generates a ipblacklist file called 'black_list-p2p1.rules' and places it in /etc/snort/rules/black_list-p2p1.rules
Everything except for this ip reputation is working properly, and has been working properly for some time.
Does anyone have a clue why this isn't working?
Thanks,
Brad