Snort mailing list archives
Snort3 IPS questions, issues, and requests
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sun, 19 Nov 2017 10:36:00 +0200
Hello, While working with Snort3 (build 240), I have found some issues, and have a few questions and requests. I am happy to submit these through Github if you'd like. 1. What is the difference between *ips.include* and *ips.rules*? From the manual and examples, it looks like ips.include is for legacy rules (although snort3 community rules load fine), while ips.rules is for local rules in the same file. can you clarify? 2. For best practices, are you expecting people to set *$RULE_HOME* in *snort_defaults.lua*, or should this be overwritten in *snort.lua*? Should this be moved to snort.lua, since the word 'defaults' seems to indicate something the user shouldn't change. 3. If $RULE_HOME is set, when referencing rule files, you are now required to have all rules under that folder (with no explicit paths to other locations). This seems like a bug. It would be nice if relative files would use the $RULES_HOME directory, while full paths to rule files would not use $RULE_HOME. 4. When using *ips.include* with a file that lists all rule files (example below), the file paths don't seem to be relative to $RULE_HOME, but are relative to the snort.lua file, which seems odd. 5. It would be nice to be able to specify multiple rule files in your snort.lua, rather than listing them all in ips.include (or whatever). The current method of lincluding a list of rule files in a text file referenced from *ips.include *seems like a kludge and adds an extra layer of work and increases the chance of an issue when configuring your rules. A comma-seperated list of files (relative to $RULE_HOME or full paths) would be helpful. 6. Not sure if this is an issue or not, but if you specify the GID keyword in a rule loaded with *ips.include*, snort3 will segfault. Thank you, Noah Here is how my system is configured for the above questions (relevant sections only): */etc/snort/snort_defaults.lua:* RULE_PATH = '/etc/snort/rules' */etc/snort/**snort.lua* ips = { enable_builtin_rules = true, include = RULE_PATH .. '/ips.include', } */etc/snort/rules/ips.include* include rules/snort3-community.rules include rules/local.rules ls -l /etc/snort/rules -rw-r--r-- 1 root root 64 Nov 19 09:33 ips.include -rw-r--r-- 1 root root 1389 Nov 19 09:36 local.rules -rw-r--r-- 1 root root 376241 Nov 18 13:42 sid-msg.map -rw-r--r-- 1 root root 1504089 Nov 18 13:36 snort3-community.rules *noah@snort3:/etc/snort$ /bin/snort -V* ,,_ -*> Snort++ <*- o" )~ Version 3.0.0 (Build 240) from 2.9.8-383 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 2.2.2 Using LuaJIT version 2.0.4 Using OpenSSL 1.0.2g 1 Mar 2016 Using libpcap version 1.7.4 Using PCRE version 8.38 2015-11-23 Using ZLIB version 1.2.8 Using FlatBuffers 1.7.0 Using Hyperscan version 4.6.0 2017-11-18 Using LZMA version 5.1.0alpha
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort3 IPS questions, issues, and requests Noah Dietrich (Nov 19)
- Re: Snort3 IPS questions, issues, and requests Russ via Snort-devel (Nov 20)
- Re: Snort3 IPS questions, issues, and requests Noah Dietrich (Nov 22)
- Re: Snort3 IPS questions, issues, and requests Russ via Snort-devel (Nov 24)
- Re: Snort3 IPS questions, issues, and requests Russ via Snort-devel (Nov 28)
- Re: Snort3 IPS questions, issues, and requests Noah Dietrich (Nov 22)
- Re: Snort3 IPS questions, issues, and requests Russ via Snort-devel (Nov 20)