Snort mailing list archives

Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips

From: Marcin Dulak <marcin.dulak () gmail com>
Date: Tue, 21 Feb 2017 13:28:27 +0100

On Tue, Feb 21, 2017 at 12:44 PM, Russ <rucombs () cisco com> wrote:



On 2/20/17 10:02 PM, Marcin Dulak wrote:

Hi,

snort3: https://github.com/snortadmin/snort3/commit/
a9f9bd38ced24da8196746074ef60a73d3bf0438
When I use the configuration below, /etc/snort/sample.rules gets loaded.

Which means you are running from /etc/snort.


RULE_PATH = '../rules'

local_rules =
[[
include sample.rules
]]

ips =
{
    rules = local_rules,
}

How to modify the configuration in order to achieve two goals:

1. use the sample.rules located under the RULE_PATH directory by
specifying the RULE_PATH variable, i.e. include RULE_PATH .. 'sample.rules'?

RULE_PATH = '../rules/'
ips = { include = RULE_PATH .. 'sample.rules' }


it looks like one really needs to specify the full path (using conf_dir
defined in /etc/snort/snort.lua).
This works:

# ls -1 /etc/snort/rules/*.rules
/etc/snort/rules/host.rules
/etc/snort/rules/sample.rules

# grep RULE_PATH /etc/snort/snort_defaults.lua | grep -v IN
RULE_PATH = conf_dir .. '/rules'
ips = { include = RULE_PATH .. '/sample.rules', include = RULE_PATH ..
'/host.rules' }

with:
# pwd
/root
# SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
--daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c /etc/snort/snort.lua

2. have the sample.rules loaded without the ips option?

snort -R ../rules/sample.rules


so the ips variable is used to load custom rules files, even if in IDS
mode?

Marcin



Marcin


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot



_______________________________________________
Snort-users mailing listSnort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Marcin Dulak (Feb 20)
- Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Russ (Feb 21)
  - Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Marcin Dulak (Feb 21)
    - Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Russ (Feb 21)