Snort mailing list archives
Re: Error using latest ruleset with Snort++
From: Marcin Dulak via Snort-users <snort-users () lists snort org>
Date: Thu, 13 Jul 2017 18:20:16 +0200
On Thu, Jul 13, 2017 at 5:55 PM, Jim Campbell <jim () w4bqp net> wrote:
Russ, I made the changes that you suggested and am still having problems. I have some questions. "This looks like you are trying to load text rules into Lua." I don't know what "text rules" are. I have two rules files, the file that resulted from running snort2lua against my latest 2.9.9.0 rules file (snort.rules.lua) and sample.rules. Both appear to be text files. How do I obtain a proper rules file?
I remember the interplay of the variables and the structure of the LUA files was not obvious and required some experimenting - and I was not able to convert the old snort.conf into the new LUA scripts automatically. I would recommend taking the default snort3 LUA scripts + sample.rules and building on those manually. Maybe follow this tutorial https://github.com/marcindulak/vagrant-snort-nfqueue-tutorial-centos7 - it requires vagrant and runs snort3 on CentOS7, but at least you get a fully functional snort3 setup. Marcin
When I run "snort --help" the result says that "-c <rules> Use Rules File <rules>". I expected -c to point to the configuration file. I don't see any option that points to a configuration file. Is it hard-coded? If I run " snort -T -c sample.rules" I get: "Running in Test mode " " --== Initializing Snort ==-- "Initializing Output Plugins! "Initializing Preprocessors! "Initializing Plug-ins! "Parsing Rules file "sample.rules" "Tagged Packet Limit: 256 "Log directory = /var/log/snort" " "+++++++++++++++++++++++++++++++++++++++++++++++++++ "Initializing rule chains... "ERROR: sample.rules(1) Undefined variable in the string: $HOME_NET. "Fatal Error, Quitting.. In snort.lua, I have "HOME_NET = '192.168.0.0/24'". Therefore it seems as if whatever should be pointing to snort.lua isn't. Enough for now. I'm confused and have probably confused you. Any help would be much appreciated. Thank you, Jim On 7/12/2017 11:47 PM, Russ wrote: On 7/12/17 8:03 PM, Jim Campbell wrote: I am moving from Snort 2.9.9.0 to Snort 3. I used Snort 2.9.9.0 for quite a few months but it began to have problems so I am moving to Snort 3. On 28 June 2017 there was a thread with the Subject as above. I am experiencing a similar problem but with somewhat different circumstances. Just today, I formatted my hard drive on the Snort machine, Installed Ubuntu 16.04 and using Noah's cookbook described in "https://sublimerobots.com/2017/01/installing-snort3-in-ubuntu/" <https://sublimerobots.com/2017/01/installing-snort3-in-ubuntu/> installed Snort 3. The installation went well and everything worked as expected till the "snort -V" step. The installation of Hyperscan seemed to go well but Hyperscan didn't appear in the list resulting from "snort -V". The next step uses the default configuration file and ruleset. That performed as expected. I next used snort2lua to convert my Snort 2.9.9.0 configuration file to the lua format. I used the following command to test the new configuration file: /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules I got an immediate FATAL error: Loading /opt/snort/etc/snort/snort.lua: FATAL: can't init /opt/snort/etc/snort/snort.lua: /opt/snort/etc/snort/sample.rules:1: '=' expected near 'tcp' Fatal Error, Quitting.. This looks like you are trying to load text rules into Lua. In the snort.lua configuration file immediately under the BLACK_LIST_PATH = '/opt/snort/etc/snort/iplists' is: "include '/opt/snort/etc/snort/sample.rules'" And that would explain it. This line should be deleted because (a) it doesn't work like that and (b) you are loading the rules file with the -R command line argument. Alternatively, if you want to specify the rules file in Lua, that can be done with: ips = { include = '/opt/snort/etc/snort/sample.rules' } In which case delete the -R argument. If I comment out this line and re-ran the test every rule gave the following kind of error: ERROR: /opt/snort/etc/snort/sample.rules:3974 invalid argument classtype: = unsuccessful-user This looks like you don't have classifications defined. The default conf does it this way: -- near the top: conf_dir = os.getenv('SNORT_LUA_PATH') if ( not conf_dir ) then conf_dir = '.' end dofile(conf_dir .. '/snort_defaults.lua') -- ... near the bottom: classifications = default_classifications Make sure you have those bits in your conf and that you have set SNORT_LUA_PATH in your environment to point to the directory where snort_defaults.lua is installed. In your case it should be done like this: export SNORT_LUA_PATH=/opt/snort/etc/snort You should be able to just the default config and rules w/o modification. You could test that the defaults work first before making your changes. Everything else worked correctly. Is there a workaround that I can use to get around this error? Thanks, Jim Campbell -- "We are not human beings having a spiritual experience; we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin _______________________________________________ Snort-users mailing listSnort-users () lists snort org Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 12)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Marcin Dulak via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- <Possible follow-ups>
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ João Soares via Snort-users (Jul 14)