[Snort-sigs] Snort 3 rules not loading
logic4life at ...2420...
Thu Mar 16 18:33:08 EDT 2017
Thanks. That was it. I must of missed the -Q for in line mode.
On Mar 16, 2017 6:21 PM, "Russ" <rucombs at ...3865...> wrote:
> That should work if you run inline by adding -Q to your command line.
> How were you injecting the packets with 2.X Snort?
> On 3/15/17 2:52 PM, Stephen Stark wrote:
> I am running snort-3.0.0-a4-228.
> I am having a problem loading any reject rules. When I start snort it will
> say "Finished rules." and will not show rule counts. I am guessing they are
> not being loaded.
> If I change my rule to be and alert then the rule count shows 1 rule. An
> example of my rule below works
> alert tcp any any -> any any (msg:"TCP reddit"; appids:"reddit";)
> But if i change it to a reject they do not show up in the rule count.
> This does not work:
> reject tcp any any -> any any (msg:"TCP Dropped reddit"; appids:"reddit";)
> Why is this not loading?
> Snippet's from my snort.lua:
> I have appid on
> appid =
> app_detector_dir = '/usr/local/cisco',
> log_stats = true,
> app_stats_period = 10,
> react =
> --option change: 'config react:' --> 'page'
> page = '/etc/snort/block.html',
> reject =
> reset: 'both',
> ips =
> include = 'new.rules',
> This is whats loaded correct?
> Loading test.lua:
> I even when I converted my rules file with snort2lua it created reject
> rules but they would not work as well.
> Anyone have this problem or know if my configuration is not correct?
> I would like the tcp reset sent to both ends. I had this working in
> version 2.9.9 using the rule below
> drop tcp any any -> any any (msg:'UDP Dropped: reddit'; appid: reddit;
> sid:12000016; rev:1;)
> Any help would be great!
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> Snort-sigs mailing listSnort-sigs at ...3408...://lists.sourceforge.net/lists/listinfo/snort-sigs
> Please visit http://blog.snort.org for the latest news about Snort!
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads" <https://snort.org/downloads/#rule-downloads>>emerging threats</a>!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs