Snort mailing list archives
Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips
From: Russ <rucombs () cisco com>
Date: Tue, 21 Feb 2017 08:14:39 -0500
On 2/21/17 7:28 AM, Marcin Dulak wrote:
This will only get one of those files loaded, depending on which assignment statement Lua runs with. It is not deterministic and it is not something Snort can detect.On Tue, Feb 21, 2017 at 12:44 PM, Russ <rucombs () cisco com <mailto:rucombs () cisco com>> wrote:On 2/20/17 10:02 PM, Marcin Dulak wrote:Hi, snort3: https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438 <https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438> When I use the configuration below, /etc/snort/sample.rules gets loaded.Which means you are running from /etc/snort.RULE_PATH = '../rules' local_rules = [[ include sample.rules ]] ips = { rules = local_rules, } How to modify the configuration in order to achieve two goals: 1. use the sample.rules located under the RULE_PATH directory by specifying the RULE_PATH variable, i.e. include RULE_PATH .. 'sample.rules'?RULE_PATH = '../rules/' ips = { include = RULE_PATH .. 'sample.rules' }it looks like one really needs to specify the full path (using conf_dir defined in /etc/snort/snort.lua).This works: # ls -1 /etc/snort/rules/*.rules /etc/snort/rules/host.rules /etc/snort/rules/sample.rules # grep RULE_PATH /etc/snort/snort_defaults.lua | grep -v IN RULE_PATH = conf_dir .. '/rules'ips = { include = RULE_PATH .. '/sample.rules', include = RULE_PATH .. '/host.rules' }
To get multiple files you will need to put additional includes in the ips.include file, put the includes in ips.rules, and/or use -R. Check for the "Loading <file>" and "Finished <file>" startup output.
with: # pwd /root# SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c /etc/snort/snort.lua2. have the sample.rules loaded without the ips option?snort -R ../rules/sample.rulesso the ips variable is used to load custom rules files, even if in IDS mode?
Yes
MarcinMarcin ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org!http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visithttp://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visit http://blog.snort.org to stay current on all thelatest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Marcin Dulak (Feb 20)
- Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Russ (Feb 21)
- Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Marcin Dulak (Feb 21)
- Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Russ (Feb 21)
- Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Marcin Dulak (Feb 21)
- Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Russ (Feb 21)