Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPBLACKLIST: /etc/snort/rules/iplists/default.blacklist not updated when -n option used #248

Open
marcindulak opened this issue Nov 30, 2016 · 2 comments
Open

IPBLACKLIST: /etc/snort/rules/iplists/default.blacklist not updated when -n option used #248

marcindulak opened this issue Nov 30, 2016 · 2 comments
Labels
bug Known bug in the code. Priority-Low

Comments

@marcindulak
Copy link
Contributor

Fedora 23, I'm not sure this is the expected behavior. /etc/snort/rules/iplists/default.blacklist are not updated when -n option is used, /etc/snort/rules/snort.rules are updated.

# pulledpork -V
PulledPork v0.7.2 - E.Coli in your water bottle!

# rm -f /etc/snort/rules/snort.rules
# rm -rf /etc/snort/rules/iplists*
# mkdir /etc/snort/rules/iplists/

# grep -E 'black_list=|IPRVersion=' /etc/pulledpork/pulledpork.conf 
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists

# grep '^rule_url=' /etc/pulledpork/pulledpork.conf 
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open

# pulledpork -PE -c /etc/pulledpork/pulledpork.conf
# wc -l /etc/snort/rules/snort.rules 
870 /etc/snort/rules/snort.rules
# wc -l /etc/snort/rules/iplists/default.blacklist 
2000 /etc/snort/rules/iplists/default.blacklist

# echo > /etc/snort/rules/snort.rules
# echo > /etc/snort/rules/iplists/default.blacklist

# pulledpork -PEn -c /etc/pulledpork/pulledpork.conf
# wc -l /etc/snort/rules/snort.rules 
870 /etc/snort/rules/snort.rules
# wc -l /etc/snort/rules/iplists/default.blacklist
1 /etc/snort/rules/iplists/default.blacklist

# rm -f /etc/snort/rules/iplistsIPRVersion.dat
# echo > /etc/snort/rules/iplists/default.blacklist
# pulledpork -PEn -c /etc/pulledpork/pulledpork.conf
# test -r /etc/snort/rules/iplistsIPRVersion.dat || echo missing
missing

# pulledpork -PE -c /etc/pulledpork/pulledpork.conf
# wc -l /etc/snort/rules/iplists/default.blacklist 
2000 /etc/snort/rules/iplists/default.blacklist

Maybe related to #129
@shirkdog
Copy link
Owner

I believe the original intent was to only reload Snort if there were in fact new IPs that need to be loaded into the running binary.

The check "!$NoDownload" achieves this, where the default is $NoDownload set to null, unless you pass -n on the command line.

@shirkdog shirkdog added bug Known bug in the code. Priority-Low labels Dec 6, 2017
@WarHead
Copy link

WarHead commented Aug 9, 2019

v0.7.4

Generating Stub Rules....
An error occurred: WARNING: ip4 normalizations disabled because not inline.

    An error occurred: WARNING: tcp normalizations disabled because not inline.

    An error occurred: WARNING: icmp4 normalizations disabled because not inline.

    An error occurred: WARNING: ip6 normalizations disabled because not inline.

    An error occurred: WARNING: icmp6 normalizations disabled because not inline.

    Done

Reading rules...
Writing Blacklist File /etc/snort/rules/iplists/default.blacklist....
Unable to open /etc/snort/rules/iplists/default.blacklist for writing! - No such file or directory
at /usr/local/bin/pulledpork.pl line 1334.
main::blacklist_write(HASH(0x555e2b562b90), "/etc/snort/rules/iplists/default.blacklist") called at /usr/local/bin/pulledpork.pl line 2347

the directory really doesn't exists on m< system with snort: snort-2.9.14.1.tar.gz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Known bug in the code. Priority-Low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WarHead @shirkdog @marcindulak