Re: Snort-devel Digest, Vol 57, Issue 9

[Dorian ROSSE via Snort-devel <snort-devel () lists snort org>]

Oleksandr,


If I don't use alert JSON how to use alert syslog ?

Thanks you in advance for your answer,

Regards.


Dorian Rosse.
________________________________
From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Sent: Friday, March 25, 2022 1:17:39 PM
To: Dorian ROSSE <dorianbrice () hotmail fr>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9


Dorian,



These lines are incorrect:

“

{} alert_json

= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \

 eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \

 pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \

 target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',

“



You should delete them or comment out. It should help.



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 25 March 2022, 11:41
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





I am lucky my weekend is now,



I have copy past the chapter where there is the error :



'''---------------------------------------------------------------------------

-- 7. configure outputs

---------------------------------------------------------------------------



-- event logging

-- you can enable with defaults from the command line with -A <alert_type>

-- uncomment below to set non-default configs

--alert_csv = { }

--alert_fast = { }

--alert_full = { }

--alert_sfsocket = { }

--alert_syslog = { }

--unified2 = { }

{} alert_json

= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \

 eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \

 pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \

 target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',



-- packet logging

-- you can enable with defaults from the command line with -L <log_type>

--log_codecs = { }

--log_hext = { }

--log_pcap = { }



-- additional logs

--packet_capture = { }

--file_log = { }



---------------------------------------------------------------------------'''



thank you in advance to help myself pass this error,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : mercredi 23 mars 2022 20:36
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



Effectively, the Snort3 configuration is a Lua code.

Lua scripting language: https://www.lua.org/



LuaJIT is a Just-in-Time compiler for Lua language: https://luajit.org/

Snort3 uses it (as a library) to parse the configuration file.



When I’m saying "error comes from LuaJIT" I mean something is wrong with your configuration in terms of Lua language 
syntax.

Please, check your configuration for the presence of Lua parsing errors.



You could share the line from snort.lua where the issue happens and some lines before and after that place (in the same 
file).



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Wednesday, 23 March 2022, 21:13
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9

Oleksandre,





I set up snort.lua what is the meaning of the error luajit with snort.lua ?



This error appear on snort.lua where are you see luajit here ?



Thanks you in advance for your lightening,



Regards.





Dorian Rosse.

________________________________

From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Sent: Wednesday, March 23, 2022 8:02:31 PM
To: dorianbrice () hotmail fr <dorianbrice () hotmail fr>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9



Hello, Dorian



I guess you’re experiencing an issue with Lua syntax correctness because such error messages come from LuaJIT.

Please, verify that the config file you’re trying to load has the correct Lua syntax.



Did you write/edit this config or is it the default one?

Could you share the line where it says the issue and some lines before and after?



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of snort-devel-request () lists snort org 
<snort-devel-request () lists snort org>
Date: Tuesday, 22 March 2022, 14:06
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Snort-devel Digest, Vol 57, Issue 9

Send Snort-devel mailing list submissions to
        snort-devel () lists snort org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request () lists snort org

You can reach the person managing the list at
        snort-devel-owner () lists snort org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. unexpected symbol near 'true' (Dorian ROSSE)


----------------------------------------------------------------------

Message: 1
Date: Sat, 19 Mar 2022 19:37:01 +0000
From: Dorian ROSSE <dorianbrice () hotmail fr>
To: "Snort-users () lists snort org" <snort-users () lists snort org>,
        "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] unexpected symbol near 'true'
Message-ID:
        <DB7P193MB0346E9AF755C86CD49CC28FADA149 () DB7P193MB0346 EURP193 PROD OUTLOOK COM>

Content-Type: text/plain; charset="iso-8859-1"

Hello,


I have error following : '''snort -c /usr/local/etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
ERROR: /usr/local/etc/snort/snort.lua: can't load /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/snort.lua:494: 
unexpected symbol near 'true'

--------------------------------------------------
pcap DAQ configured to passive.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..'''
to
the line where the error appears :

'''= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \'''

thank you in advance to help myself pass this error for run fully snort3,

Regards.


Dorian ROSSE.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20220319/bc5daa88/attachment-0001.htm>

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel


------------------------------

End of Snort-devel Digest, Vol 57, Issue 9
******************************************

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!