[Snort-sigs] Snort 3 rules not loading

Russ rucombs at ...3865...
Thu Mar 16 18:21:53 EDT 2017


That should work if you run inline by adding -Q to your command line.

How were you injecting the packets with 2.X Snort?

On 3/15/17 2:52 PM, Stephen Stark wrote:
> Hello,
>
> I am running snort-3.0.0-a4-228.
>
> I am having a problem loading any reject rules. When I start snort it 
> will say "Finished rules." and will not show rule counts. I am 
> guessing they are not being loaded.
>
> If I change my rule to be and alert then the rule count shows 1 rule. 
> An example of my rule below works
>
> alert tcp any any -> any any (msg:"TCP reddit"; appids:"reddit";)
>
> But if i change it to a reject they do not show up in the rule count.
>
> This does not work:
> reject tcp any any -> any any (msg:"TCP Dropped reddit"; appids:"reddit";)
>
> Why is this not loading?
>
>
> Snippet's from my snort.lua:
>
> I have appid on
> appid =
> {
>     app_detector_dir = '/usr/local/cisco',
>     log_stats = true,
>     app_stats_period = 10,
> }
>
> react =
> {
>     --option change: 'config react:' --> 'page'
>     page = '/etc/snort/block.html',
> }
>
> reject =
> {
>     reset: 'both',
> }
> ips =
> {
>     include = 'new.rules',
> }
>
> This is whats loaded correct?
> Loading test.lua:
>         ssh
>         rpc_decode
>         pop
>         binder
>         stream_tcp
>         unified2
>         network
>         stream_ip
>         dce_http_proxy
>         normalizer
>         telnet
>         ftp_server
>         reputation
>         stream_udp
>         daq
>         detection
>         search_engine
>         modbus
>         classifications
>         ips
>         react
>         appid
>         process
>         event_queue
>         sip
>         dnp3
>         ssl
>         active
>         dce_http_server
>         dce_tcp
>         dce_smb
>         smtp
>         reject
>         ftp_client
>         http_inspect
>         stream
>         references
>         dns
>         dce_udp
>         imap
>
> I even when I converted my rules file with snort2lua it created reject 
> rules but they would not work as well.
>
> Anyone have this problem or know if my configuration is not correct?
>
> I would like the tcp reset sent to both ends. I had this working in 
> version 2.9.9 using the rule below
> drop tcp any any -> any any (msg:'UDP Dropped: reddit'; appid: reddit; 
> sid:12000016; rev:1;)
>
> Any help would be great!
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170316/977240e8/attachment.html>


More information about the Snort-sigs mailing list