A few snort3 observations

[James Lay via Snort-devel <snort-devel () lists snort org>]

So....my compile line includes:


--with-daq-includes=/opt/snort3/libdaq/include --with-daq-
libraries=/opt/snort3/libdaq/lib


So why does snort not know where daq is without the --daq-dir command
line option at runtime?  I told snort where it was when I compiled it
above.  Can we not simply tell snort "hey...use the compile time
options as the default when run"?  To be fair, this is not just a snort
thing...I do see this behavior elsewhere.

Next up....snort2lua.  I'll include the before and after as an
attachment so as not to make this email unreadable.  After snort2lua,
my tight, simple, 171 line config is now 1206 lines.  Seriously...it's
ghastly.

Per the snort3 docs (which, funnily enough you can't direct bookmark
because the links expire) states:  "For best results, use include in
place of dofile. This function is provided to follow Snort’s include
logic."  So why does snort2lua start off my config with:

dir = os.getenv('SNORT_LUA_PATH')


if ( not dir ) then
    dir = '.'
end


dofile(dir .. '/snort_defaults.lua')
?

Second, snort2lua will fail (did for me at least) if you have a
"double" variable declaration:

var CONF_PATH /opt/snort/etc
var RULE_PATH $CONF_PATH/rules

snort2lua will simple say the 2nd line file as shown above wasn't found
and my rules weren't processed (hard setting this worked though).

Lastly, why did snort2lua split out the alt_max_command_line_len in
smtp?  Why did snort2lua import my threshold.conf and put it right into
my snort3.conf?  Why do I have a snort.rules.lua and a
snort.rules.rules, both of which kinda look like rules files?  And if
I'm using the snort3.conf that comes in the tarball/git repo as a
guide, the snort.rules.lua doesn't show up ( I do see the snort3-
community.rules as an example though, so that's a plus ).


My hope that snort2lua would take a finely tuned snort2.conf and
convert it to a finely tuned snort3.conf with some minor tweaks to be
done is long gone.  At this point in time my plan is just to throw out
the snort2lua generated snort3.conf and just start from scratch.  I
appreciate the new functions and granularity (and look forward to
diving into them)...but devs...PLEASE PLEASE PLEASE give people a
snort2lua config output that at least looks somewhat similar to the
original snort2.conf.  Otherwise....I suspect folks are just going to
look at the output....have eyeballs that look like they've just dropped
5 hits of acid, and just delete it and start the laborious task of
having to relearn the snort config syntax in tandem with converting
what they have with their current configs.

Thank you.

James

Attachment: snort.zip
Description:

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!