Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Error using latest ruleset with Snort++

From: Russ via Snort-users <snort-users () lists snort org>
Date: Thu, 13 Jul 2017 12:48:18 -0400


On 7/13/17 11:55 AM, Jim Campbell wrote:

Russ,
I made the changes that you suggested and am still having problems. I have some questions. 

"|This looks like you are trying to load text rules into Lua."
I don't know what "text rules" are. I have two rules files, the file that resulted from running snort2lua against my latest 2.9.9.0 rules file (snort.rules.lua) and sample.rules. Both appear to be text files. How do I obtain a proper rules file? 
|
|Text rules are the rules you get from Talos or similar. Snort 3.0 rules are slightly different from 2.9 rules and must be converted with snort2lua. sample.rules were already converted. To convert other rules files you can do this (for details see the manual): 

    snort2lua –c snort2.rules -r snort3.rules

There are other ways to load the rules but let's start with the basics.  :)
|

|
When I run "snort --help" the result says that "-c <rules> Use Rules File <rules>". I expected -c to point to the configuration file. I don't see any option that points to a configuration file. Is it hard-coded? 
|
|That help output and all the below output is from 2.9 Snort. Try using the full path to the Snort++ binary and then check back here.| 
|
If I run " snort -T -c sample.rules" I get:

"Running in Test mode
"
"        --== Initializing Snort ==--
"Initializing Output Plugins!
"Initializing Preprocessors!
"Initializing Plug-ins!
"Parsing Rules file "sample.rules"
"Tagged Packet Limit: 256
"Log directory = /var/log/snort"
"
"+++++++++++++++++++++++++++++++++++++++++++++++++++
"Initializing rule chains...
"ERROR: sample.rules(1) Undefined variable in the string: $HOME_NET.
"Fatal Error, Quitting..
In snort.lua, I have "HOME_NET = '192.168.0.0/24'". Therefore it seems as if whatever should be pointing to snort.lua isn't.
Enough for now. I'm confused and have probably confused you. Any help would be much appreciated. 

|Thank you,

Jim

On 7/12/2017 11:47 PM, Russ wrote:



On 7/12/17 8:03 PM, Jim Campbell wrote:
I am moving from Snort 2.9.9.0 to Snort 3. I used Snort 2.9.9.0 for quite a few months but it began to have problems so I am moving to Snort 3.
On 28 June 2017 there was a thread with the Subject as above. I am experiencing a similar problem but with somewhat different circumstances.
Just today, I formatted my hard drive on the Snort machine, Installed Ubuntu 16.04 and using Noah's cookbook described in "https://sublimerobots.com/2017/01/installing-snort3-in-ubuntu/"; installed Snort 3. The installation went well and everything worked as expected till the "snort -V" step. The installation of Hyperscan seemed to go well but Hyperscan didn't appear in the list resulting from "snort -V".
The next step uses the default configuration file and ruleset. That performed as expected. I next used snort2lua to convert my Snort 2.9.9.0 configuration file to the lua format. I used the following command to test the new configuration file:
|/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules 

I got an immediate FATAL error:

Loading /opt/snort/etc/snort/snort.lua:
FATAL: can't init /opt/snort/etc/snort/snort.lua: /opt/snort/etc/snort/sample.rules:1: '=' expected near 'tcp' 
Fatal Error, Quitting..
|

|This looks like you are trying to load text rules into Lua.|

|
In the snort.lua configuration file immediately under the BLACK_LIST_PATH = '/opt/snort/etc/snort/iplists' 

is: "include '/opt/snort/etc/snort/sample.rules'"
|
|And that would explain it. This line should be deleted because (a) it doesn't work like that and (b) you are loading the rules file with the -R command line argument.
Alternatively, if you want to specify the rules file in Lua, that can be done with: 

    ips = { include = '|||/opt/snort/etc/snort/|sample.rules' }

In which case delete the -R argument.
|

|
If I comment out this line and re-ran the test every rule gave the following kind of error:
ERROR: /opt/snort/etc/snort/sample.rules:3974 invalid argument classtype: = unsuccessful-user 
|
|This looks like you don't have classifications defined. The default conf does it this way: 

    -- near the top:

    conf_dir = os.getenv('SNORT_LUA_PATH')

    if ( not conf_dir ) then
        conf_dir = '.'
    end

    dofile(conf_dir .. '/snort_defaults.lua')

    -- ... near the bottom:

    classifications = default_classifications
Make sure you have those bits in your conf and that you have set SNORT_LUA_PATH in your environment to point to the directory where snort_defaults.lua is installed. In your case it should be done like this: 

    export SNORT_LUA_PATH=|||/opt/snort/etc/snort
You should be able to just the default config and rules w/o modification. You could test that the defaults work first before making your changes. 
||

|
Everything else worked correctly.

Is there a workaround that I can use to get around this error?

Thanks,

Jim Campbell
|
--
"We are not human beings having a spiritual experience;
we are spiritual beings having a human experience."
---Pierre Teilhard de Chardin


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visithttp://blog.snort.org  to stay current on all the latest Snort news!







_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: