Snort mailing list archives
Re: Error using latest ruleset with Snort++
From: Jim Campbell <jim () w4bqp net>
Date: Wed, 12 Jul 2017 20:03:34 -0400
I am moving from Snort 2.9.9.0 to Snort 3. I used Snort 2.9.9.0 for quite a few months but it began to have problems so I am moving to Snort 3.
On 28 June 2017 there was a thread with the Subject as above. I am experiencing a similar problem but with somewhat different circumstances.
Just today, I formatted my hard drive on the Snort machine, Installed Ubuntu 16.04 and using Noah's cookbook described in "https://sublimerobots.com/2017/01/installing-snort3-in-ubuntu/"; installed Snort 3. The installation went well and everything worked as expected till the "snort -V" step. The installation of Hyperscan seemed to go well but Hyperscan didn't appear in the list resulting from "snort -V".
The next step uses the default configuration file and ruleset. That performed as expected. I next used snort2lua to convert my Snort 2.9.9.0 configuration file to the lua format. I used the following command to test the new configuration file:
|/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules
I got an immediate FATAL error: Loading /opt/snort/etc/snort/snort.lua:FATAL: can't init /opt/snort/etc/snort/snort.lua: /opt/snort/etc/snort/sample.rules:1: '=' expected near 'tcp'
Fatal Error, Quitting..In the snort.lua configuration file immediately under the BLACK_LIST_PATH = '/opt/snort/etc/snort/iplists'
is: "include '/opt/snort/etc/snort/sample.rules'"If I comment out this line and re-ran the test every rule gave the following kind of error:
ERROR: /opt/snort/etc/snort/sample.rules:3974 invalid argument classtype: = unsuccessful-user
Everything else worked correctly. Is there a workaround that I can use to get around this error? Thanks, Jim Campbell | -- "We are not human beings having a spiritual experience; we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 12)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Marcin Dulak via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)