Re: Error using latest ruleset with Snort++

[Jim Campbell <jim () w4bqp net>]

Russ,

I made the changes that you suggested and am still having problems. I 
have some questions.

"|This looks like you are trying to load text rules into Lua."
I don't know what "text rules" are. I have two rules files, the file 
that resulted from running snort2lua against my latest 2.9.9.0 rules 
file (snort.rules.lua) and sample.rules. Both appear to be text files. 
How do I obtain a proper rules file?

When I run "snort --help" the result says that "-c <rules> Use Rules 
File <rules>". I expected -c to point to the configuration file. I don't 
see any option that points to a configuration file. Is it hard-coded?

If I run " snort -T -c sample.rules" I get:

"Running in Test mode
"
"        --== Initializing Snort ==--
"Initializing Output Plugins!
"Initializing Preprocessors!
"Initializing Plug-ins!
"Parsing Rules file "sample.rules"
"Tagged Packet Limit: 256
"Log directory = /var/log/snort"
"
"+++++++++++++++++++++++++++++++++++++++++++++++++++
"Initializing rule chains...
"ERROR: sample.rules(1) Undefined variable in the string: $HOME_NET.
"Fatal Error, Quitting..

In snort.lua, I have "HOME_NET = '192.168.0.0/24'". Therefore it seems 
as if whatever should be pointing to snort.lua isn't.

Enough for now. I'm confused and have probably confused you. Any help 
would be much appreciated.

|Thank you,

Jim

On 7/12/2017 11:47 PM, Russ wrote:
> On 7/12/17 8:03 PM, Jim Campbell wrote:
> > I am moving from Snort 2.9.9.0 to Snort 3. I used Snort 2.9.9.0 for 
> > quite a few months but it began to have problems so I am moving to 
> > Snort 3.
> >
> > On 28 June 2017 there was a thread with the Subject as above. I am 
> > experiencing a similar problem but with somewhat different circumstances.
> >
> > Just today, I formatted my hard drive on the Snort machine, Installed 
> > Ubuntu 16.04 and using Noah's cookbook described in 
> > "https://sublimerobots.com/2017/01/installing-snort3-in-ubuntu/"; 
> > installed Snort 3. The installation went well and everything worked 
> > as expected till the "snort -V" step. The installation of Hyperscan 
> > seemed to go well but Hyperscan didn't appear in the list resulting 
> > from "snort -V".
> >
> > The next step uses the default configuration file and ruleset. That 
> > performed as expected. I next used snort2lua to convert my Snort 
> > 2.9.9.0 configuration file to the lua format. I used the following 
> > command to test the new configuration file:
> >
> > |/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R 
> > /opt/snort/etc/snort/sample.rules
> >
> > I got an immediate FATAL error:
> >
> > Loading /opt/snort/etc/snort/snort.lua:
> > FATAL: can't init /opt/snort/etc/snort/snort.lua: 
> > /opt/snort/etc/snort/sample.rules:1: '=' expected near 'tcp'
> > Fatal Error, Quitting..
> > |
> |This looks like you are trying to load text rules into Lua.|
> > |
> > In the snort.lua configuration file immediately under the 
> > BLACK_LIST_PATH = '/opt/snort/etc/snort/iplists'
> >
> > is: "include '/opt/snort/etc/snort/sample.rules'"
> > |
> |And that would explain it.  This line should be deleted because (a) 
> it doesn't work like that and (b) you are loading the rules file with 
> the -R command line argument.
>
> Alternatively, if you want to specify the rules file in Lua, that can 
> be done with:
>
>     ips = { include = '|||/opt/snort/etc/snort/|sample.rules' }
>
> In which case delete the -R argument.
> |
> > |
> > If I comment out this line and re-ran the test every rule gave the 
> > following kind of error:
> >
> > ERROR: /opt/snort/etc/snort/sample.rules:3974 invalid argument 
> > classtype: = unsuccessful-user
> > |
> |This looks like you don't have classifications defined.  The default 
> conf does it this way:
>
>     -- near the top:
>
>     conf_dir = os.getenv('SNORT_LUA_PATH')
>
>     if ( not conf_dir ) then
>         conf_dir = '.'
>     end
>
>     dofile(conf_dir .. '/snort_defaults.lua')
>
>     -- ... near the bottom:
>
>     classifications = default_classifications
>
> Make sure you have those bits in your conf and that you have set 
> SNORT_LUA_PATH in your environment to point to the directory where 
> snort_defaults.lua is installed.  In your case it should be done like 
> this:
>
>     export SNORT_LUA_PATH=|||/opt/snort/etc/snort
>
> You should be able to just the default config and rules w/o 
> modification.  You could test that the defaults work first before 
> making your changes.
> ||
> > |
> > Everything else worked correctly.
> >
> > Is there a workaround that I can use to get around this error?
> >
> > Thanks,
> >
> > Jim Campbell
> > |
> > --
> > "We are not human beings having a spiritual experience;
> > we are spiritual beings having a human experience."
> > ---Pierre Teilhard de Chardin
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists snort org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > Please visithttp://blog.snort.org  to stay current on all the latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!