Snort mailing list archives
Re: Snort 3 rules not loading
From: Russ <rucombs () cisco com>
Date: Thu, 16 Mar 2017 18:21:53 -0400
That should work if you run inline by adding -Q to your command line. How were you injecting the packets with 2.X Snort? On 3/15/17 2:52 PM, Stephen Stark wrote:
Hello, I am running snort-3.0.0-a4-228.I am having a problem loading any reject rules. When I start snort it will say "Finished rules." and will not show rule counts. I am guessing they are not being loaded.If I change my rule to be and alert then the rule count shows 1 rule. An example of my rule below worksalert tcp any any -> any any (msg:"TCP reddit"; appids:"reddit";) But if i change it to a reject they do not show up in the rule count. This does not work: reject tcp any any -> any any (msg:"TCP Dropped reddit"; appids:"reddit";) Why is this not loading? Snippet's from my snort.lua: I have appid on appid = { app_detector_dir = '/usr/local/cisco', log_stats = true, app_stats_period = 10, } react = { --option change: 'config react:' --> 'page' page = '/etc/snort/block.html', } reject = { reset: 'both', } ips = { include = 'new.rules', } This is whats loaded correct? Loading test.lua: ssh rpc_decode pop binder stream_tcp unified2 network stream_ip dce_http_proxy normalizer telnet ftp_server reputation stream_udp daq detection search_engine modbus classifications ips react appid process event_queue sip dnp3 ssl active dce_http_server dce_tcp dce_smb smtp reject ftp_client http_inspect stream references dns dce_udp imapI even when I converted my rules file with snort2lua it created reject rules but they would not work as well.Anyone have this problem or know if my configuration is not correct?I would like the tcp reset sent to both ends. I had this working in version 2.9.9 using the rule below drop tcp any any -> any any (msg:'UDP Dropped: reddit'; appid: reddit; sid:12000016; rev:1;)Any help would be great! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort 3 rules not loading Stephen Stark (Mar 15)
- Re: Snort 3 rules not loading Russ (Mar 16)
- Re: Snort 3 rules not loading Stephen Stark (Mar 16)
- Re: Snort 3 rules not loading Russ (Mar 16)