[Snort-sigs] Snort 3 rules not loading

Stephen Stark logic4life at ...2420...
Wed Mar 15 14:52:11 EDT 2017


Hello,

I am running snort-3.0.0-a4-228.

I am having a problem loading any reject rules. When I start snort it will
say "Finished rules." and will not show rule counts. I am guessing they are
not being loaded.

If I change my rule to be and alert then the rule count shows 1 rule. An
example of my rule below works

alert tcp any any -> any any (msg:"TCP reddit"; appids:"reddit";)

But if i change it to a reject they do not show up in the rule count.

This does not work:
reject tcp any any -> any any (msg:"TCP Dropped reddit"; appids:"reddit";)

Why is this not loading?


Snippet's from my snort.lua:

I have appid on
appid =
{
    app_detector_dir = '/usr/local/cisco',
    log_stats = true,
    app_stats_period = 10,
}

react =
{
    --option change: 'config react:' --> 'page'
    page = '/etc/snort/block.html',
}

reject =
{
    reset: 'both',
}
ips =
{
    include = 'new.rules',
}

This is whats loaded correct?
Loading test.lua:
        ssh
        rpc_decode
        pop
        binder
        stream_tcp
        unified2
        network
        stream_ip
        dce_http_proxy
        normalizer
        telnet
        ftp_server
        reputation
        stream_udp
        daq
        detection
        search_engine
        modbus
        classifications
        ips
        react
        appid
        process
        event_queue
        sip
        dnp3
        ssl
        active
        dce_http_server
        dce_tcp
        dce_smb
        smtp
        reject
        ftp_client
        http_inspect
        stream
        references
        dns
        dce_udp
        imap

I even when I converted my rules file with snort2lua it created reject
rules but they would not work as well.

Anyone have this problem or know if my configuration is not correct?

I would like the tcp reset sent to both ends. I had this working in version
2.9.9 using the rule below
drop tcp any any -> any any (msg:'UDP Dropped: reddit'; appid: reddit;
sid:12000016; rev:1;)

Any help would be great!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170315/4fef6125/attachment.html>


More information about the Snort-sigs mailing list