[Snort-users] Snort 3 rule variables

Russ rucombs at ...589...
Thu Dec 24 10:41:05 EST 2015



On 12/22/15 3:16 AM, Aurimas Rudinskis wrote:
> Hi,
>
> I have some custom Snort 2.9.x rules which I've converted to Snort3-a3 
> using snort2lua. When running "snort -c /etc/snort/snort.lua -R 
> /etc/snort/rules/global.lua" I'm getting errors about "Undefined 
> variable in the string". All variables used in the rules are described 
> in snort.lua configuration.
>
> Rules:
> pass udp $QUALYS any -> $HOME_NET any ( msg:"False Positive - Qualys 
> Internal Scanner IP"; sid:5000005; rev:1; )
> pass tcp $QUALYS any -> $HOME_NET any ( msg:"False Positive - Qualys 
> Internal Scanner IP"; sid:5000006; rev:1; )
>
> Variable QUALYS in snort.lua:
> QUALYS = [[ 1.2.3.4 1.3.4.5 ]]
>
> Errors:
> ERROR: /etc/snort/rules/global.lua:29 Undefined variable in the 
> string: $QUALYS.
> ERROR: /etc/snort/rules/global.lua:30 Undefined variable in the 
> string: $QUALYS.
>
> Do I need to add variables to Snort 3 rules? How to solve this?
Change the name from QUALYS to QUALYS_PORTS, etc.  Snort++ only gives 
special treatment to Lua variables with PATH, PORT, NET, and SERVER in 
the name.
>
> -- 
> Linkėjimai/Regards,
> *Aurimas Rudinskis*
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151224/49324f28/attachment.html>


More information about the Snort-users mailing list