Re: include = 'snort3_community.rules'

[Russ via Snort-users <snort-users () lists snort org>]

"-- include = 'snort3_community.rules'" from the default snort.lua is 
just a comment showing one way to include rules.  Another way is to use 
the rules parameter.  You are attempting to do both, which is fine, but 
there are at least three apparent issues:

1.  If you uncomment "include = 'snort3_community.rules'" and follow it 
with something else, you need a comma in between.  So it should look 
like this:

ips =
{
    -- ...
    include = 'snort3_community.rules',
    rules =
    [[
    # ...
    ]]
}

2.  You are including snort3_community.rules twice.  That will result in 
a bunch of duplicate warnings if you enable warnings but is otherwise 
benign.  Better to just include them once, in either place.

3.  snort3-community.rules is either at $RULE_PATH or not, meaning one 
the includes is likely to fail, unless you are in $RULE_PATH.

Hope that helps.
Russ


On 10/5/18 11:17 AM, ZdenekChladek_cyber wrote:
> Hello,
> Could You please clarify, how to prepare the config to use 
> community.rules ?
> when I uncommented parameter include = 'snort3_community.rules' Snort 
> return error:
>
> Loading /usr/local/snort/etc/snort/snort.lua:
> FATAL: can't load /usr/local/snort/etc/snort/snort.lua: 
> /usr/local/snort/etc/snort/snort.lua:209: '}' expected (to close '{' 
> at line 197) near 'rules'
> Fatal Error, Quitting..
> part of my configuration where are the records about the community.rules
>
> ips =
> {
>     mode = tap,
>
>     -- use this to enable decoder and inspector alerts
>     enable_builtin_rules = true,
>
>     -- use include for rules files; be sure to set your path
>     -- note that rules files can include other rules files
>
> -- THIS PARAMETER IS FROM DEFAULT INSTALLATION - FOR WHAT IS IT?
>     -- include = 'snort3_community.rules'
>
>     -- The following include syntax is only valid for BUILD_243 
> (13-FEB-2018) and later
>     -- RULE_PATH is typically set in snort_defaults.lua
>     rules = [[
>
> -- THIS PARAMETER HAS BEEN ADD MANUALLY BY ME
>     include $RULE_PATH/snort3-community.rules
>
>         include $RULE_PATH/snort3-app-detect.rules
>         include $RULE_PATH/snort3-browser-chrome.rules
>         include $RULE_PATH/snort3-browser-firefox.rules
>         include $RULE_PATH/snort3-browser-ie.rules
>         include $RULE_PATH/snort3-browser-other.rules
>         include $RULE_PATH/snort3-browser-plugins.rules
> Thank You
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>     To unsubscribe, send an email to:
>     snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
>
> Please follow these rules: 
> https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette