Snort mailing list archives
Re: Snort3 Plugin IPS Option: unknown rule keyword
From: Russ via Snort-users <snort-users () lists snort org>
Date: Mon, 8 Apr 2019 08:54:46 -0400
Your diff below is saying that you deleted snort_plugins. You must provide that symbol, and it must be a null-terminated list of pointers to base API, even if you only have one.
On 4/8/19 8:32 AM, Jianyu Li via Snort-users wrote:
Hi, I am trying to write an ips option for dpx plugin.I copied the snort3_extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc into dpx folder and did the following changes:*root@ubuntudesk1:~/snort_src/snort3_extra/src/inspectors/dpx/src# diff ips_pkt_num2.cc ../../../ips_options/ips_pkt_num/ips_pkt_num.cc**30c30* *< static const char* s_name = "pkt_num2";* *---* *> static const char* s_name = "pkt_num";* *183c183,187* *< const BaseApi* ips_pkt_num = &pkt_num_api.base;* *---* *> SO_PUBLIC const BaseApi* snort_plugins[] =* *> {* *> &pkt_num_api.base,* *> nullptr* *> };* But when I ran the snort it reported error:*root@ubuntudesk1:~# snort --plugin-path /usr/local/lib/ -c /usr/local/etc/snort/snort.lua -R rules.txt -r iec61850.pcap -A cmg* *ERROR: rules.txt:1 unknown rule keyword: pkt_num2.* There is only one line in rules.txt: *alert tcp any any -> any any (msg:"Test"; pkt_num2:30; sid: 1000;)*The reason why I put ips_pkt_num.cc into dpx is that I wanted to use the structure(stored in flow) defined in dpx plugin just like what they did in modbus inspector.It seems like this ips option wasn't loaded by snort, any idea why this error occur?Thanks in advance! Li _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort3 Plugin IPS Option: unknown rule keyword Jianyu Li via Snort-users (Apr 08)
- Re: Snort3 Plugin IPS Option: unknown rule keyword Russ via Snort-users (Apr 08)
- Re: Snort3 Plugin IPS Option: unknown rule keyword Jianyu Li via Snort-users (Apr 08)
- Re: Snort3 Plugin IPS Option: unknown rule keyword Russ via Snort-users (Apr 08)