Home page logo
/

snort logo Snort mailing list archives

Re: Assistance with Blacklist
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 9 Apr 2013 20:28:44 -0400

Send your whole snort.conf.  Just in case. 

--
Joel Esler
Sent from my iPhone 

On Apr 9, 2013, at 8:15 PM, waldo kitty <wkitty42 () windstream net> wrote:

On 4/9/2013 15:57, Hannibal S. Jackson wrote:
I didn't try to verify yet b/c I can't get snort to run properly, it exists when
it's starting up because it's having an issue with that line in the
black_list.rules file. If I comment that white and black lists out in the
snort.conf, snort starts just fine.

please provide...

1. the error message from the log file
2. the contents of your blacklist file
3. the reputation processor lines from your snort.conf file
4. the results of "snort -V" without the quotes

i think that will handle it...

--------------------------------------------------------------------------------
*From:* waldo kitty <wkitty42 () windstream net>
*To:* Hannibal S. Jackson <hannibaljackson () yahoo com>;
"snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
*Sent:* Tuesday, April 9, 2013 2:31 PM
*Subject:* Re: [Snort-users] Assistance with Blacklist



On 4/9/2013 12:59, Hannibal S. Jackson wrote:
So you have to use a CIDR notation?

i don't know... your post used an invalid CIDR notation so i took an eWAG and
figured that you were wanting to block the entire network that that IP belongs
to... a quick lookup showed that it belongs to facebook so i continued with the
eWAG and guessed that the entire network was what you were wanting to block...
you can't start a CIDR entry in the middle of the netblock, TTBOMK... you have
to list it with the network's address... 31.13.64.0 in this case...

It's for a class and he just wanted to see
if we could get it working. Obviously facebook has a bunch of IP's; however, I
tried to put just the IP in the file without the CIDR mask and it didn't work.

what didn't work? accessing that IP? how did you try to verify it? did you try
going to facebook and you were successful? this may be problematic because the
browser may have had the page cached and pulled it from there OR the DNS may
have given you another IP for facebook...

The examples I found online showed some with it and some without it. I tired /0
/8 /16 and then gave up. Thanks, I'll try that when I get back to my machine.

start here -> http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf

section 2.2.19 Reputation Processor (pg. 118) then croll down to the bottom of
page 119 and the top of page 120 for working examples... the default.whitelist
example does show plain IPs without any type of mask...

barring that, i've offered what i know and dug up from the docs ;)



--------------------------------------------------------------------------------
*From:* waldo kitty <wkitty42 () windstream net <mailto:wkitty42 () windstream net>>
*To:* snort-users () lists sourceforge net
<mailto:snort-users () lists sourceforge net>
*Sent:* Tuesday, April 9, 2013 12:44 PM
*Subject:* Re: [Snort-users] Assistance with Blacklist

On 4/9/2013 10:30, Hannibal S. Jackson wrote:
I'm getting ERROR: c:\snort\rules\black_list.rules (4) Invalid configuration
line: 31.13.69.160

The only thing I have in my black_list.rules file is this:

# This is my black_list.rules file for www.facebook.com
<http://www.facebook.com/>
<http://www.facebook.com/>
31.13.69.160/0

this is not a valid network address or CIDR mask... the address is a
workstation/server address, though... you need to use a proper network address
and CIDR mask...

in this case, the facebook network range is 31.13.64.0 - 31.13.127.255 so the
proper mask would be 31.13.64.0/18


IP Address : 31.13.64.0
Address Class : Classless /18
Network Address : 31.13.64.0

Subnet Address : 31.13.64.0
Subnet Mask : 255.255.192.0
Subnet bit mask : nnnnnnnn.nnnnnnnn.nnhhhhhh.hhhhhhhh
Subnet Bits : 18
Host Bits : 14
Number of Subnets : 1
Hosts per Subnet : 16382

Subnet : 31.13.64.0
Mask : 255.255.192.0
Subnet Size : 16382 Hosts
Host Range : 31.13.64.1 to 31.13.127.254
Broadcast : 31.13.127.255



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]