Snort mailing list archives
A few snort3 observations
From: James Lay via Snort-devel <snort-devel () lists snort org>
Date: Fri, 13 Nov 2020 10:11:17 -0700
So....my compile line includes: --with-daq-includes=/opt/snort3/libdaq/include --with-daq- libraries=/opt/snort3/libdaq/lib So why does snort not know where daq is without the --daq-dir command line option at runtime? I told snort where it was when I compiled it above. Can we not simply tell snort "hey...use the compile time options as the default when run"? To be fair, this is not just a snort thing...I do see this behavior elsewhere. Next up....snort2lua. I'll include the before and after as an attachment so as not to make this email unreadable. After snort2lua, my tight, simple, 171 line config is now 1206 lines. Seriously...it's ghastly. Per the snort3 docs (which, funnily enough you can't direct bookmark because the links expire) states: "For best results, use include in place of dofile. This function is provided to follow Snort’s include logic." So why does snort2lua start off my config with: dir = os.getenv('SNORT_LUA_PATH') if ( not dir ) then dir = '.' end dofile(dir .. '/snort_defaults.lua') ? Second, snort2lua will fail (did for me at least) if you have a "double" variable declaration: var CONF_PATH /opt/snort/etc var RULE_PATH $CONF_PATH/rules snort2lua will simple say the 2nd line file as shown above wasn't found and my rules weren't processed (hard setting this worked though). Lastly, why did snort2lua split out the alt_max_command_line_len in smtp? Why did snort2lua import my threshold.conf and put it right into my snort3.conf? Why do I have a snort.rules.lua and a snort.rules.rules, both of which kinda look like rules files? And if I'm using the snort3.conf that comes in the tarball/git repo as a guide, the snort.rules.lua doesn't show up ( I do see the snort3- community.rules as an example though, so that's a plus ). My hope that snort2lua would take a finely tuned snort2.conf and convert it to a finely tuned snort3.conf with some minor tweaks to be done is long gone. At this point in time my plan is just to throw out the snort2lua generated snort3.conf and just start from scratch. I appreciate the new functions and granularity (and look forward to diving into them)...but devs...PLEASE PLEASE PLEASE give people a snort2lua config output that at least looks somewhat similar to the original snort2.conf. Otherwise....I suspect folks are just going to look at the output....have eyeballs that look like they've just dropped 5 hits of acid, and just delete it and start the laborious task of having to relearn the snort config syntax in tandem with converting what they have with their current configs. Thank you. James
Attachment:
snort.zip
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- A few snort3 observations James Lay via Snort-devel (Nov 13)
- Re: A few snort3 observations Michael Altizer (mialtize) via Snort-devel (Nov 20)
- Re: A few snort3 observations James Lay via Snort-devel (Nov 20)
- Re: A few snort3 observations Michael Altizer (mialtize) via Snort-devel (Nov 20)