Snort mailing list archives
Re: Snort 3 rules not loading
From: Stephen Stark <logic4life () gmail com>
Date: Thu, 16 Mar 2017 18:33:08 -0400
Thanks. That was it. I must of missed the -Q for in line mode. On Mar 16, 2017 6:21 PM, "Russ" <rucombs () cisco com> wrote:
That should work if you run inline by adding -Q to your command line.
How were you injecting the packets with 2.X Snort?
On 3/15/17 2:52 PM, Stephen Stark wrote:
Hello,
I am running snort-3.0.0-a4-228.
I am having a problem loading any reject rules. When I start snort it will
say "Finished rules." and will not show rule counts. I am guessing they are
not being loaded.
If I change my rule to be and alert then the rule count shows 1 rule. An
example of my rule below works
alert tcp any any -> any any (msg:"TCP reddit"; appids:"reddit";)
But if i change it to a reject they do not show up in the rule count.
This does not work:
reject tcp any any -> any any (msg:"TCP Dropped reddit"; appids:"reddit";)
Why is this not loading?
Snippet's from my snort.lua:
I have appid on
appid =
{
app_detector_dir = '/usr/local/cisco',
log_stats = true,
app_stats_period = 10,
}
react =
{
--option change: 'config react:' --> 'page'
page = '/etc/snort/block.html',
}
reject =
{
reset: 'both',
}
ips =
{
include = 'new.rules',
}
This is whats loaded correct?
Loading test.lua:
ssh
rpc_decode
pop
binder
stream_tcp
unified2
network
stream_ip
dce_http_proxy
normalizer
telnet
ftp_server
reputation
stream_udp
daq
detection
search_engine
modbus
classifications
ips
react
appid
process
event_queue
sip
dnp3
ssl
active
dce_http_server
dce_tcp
dce_smb
smtp
reject
ftp_client
http_inspect
stream
references
dns
dce_udp
imap
I even when I converted my rules file with snort2lua it created reject
rules but they would not work as well.
Anyone have this problem or know if my configuration is not correct?
I would like the tcp reset sent to both ends. I had this working in
version 2.9.9 using the rule below
drop tcp any any -> any any (msg:'UDP Dropped: reddit'; appid: reddit;
sid:12000016; rev:1;)
Any help would be great!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing listSnort-sigs@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a
href=" https://snort.org/downloads/#rule-downloads"; <https://snort.org/downloads/#rule-downloads>>emerging
threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Snort 3 rules not loading Stephen Stark (Mar 15)
- Re: Snort 3 rules not loading Russ (Mar 16)
- Re: Snort 3 rules not loading Stephen Stark (Mar 16)
- Re: Snort 3 rules not loading Russ (Mar 16)