[Snort-users] snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips

Russ rucombs at ...589...
Tue Feb 21 06:44:07 EST 2017



On 2/20/17 10:02 PM, Marcin Dulak wrote:
> Hi,
>
> snort3: 
> https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438
> When I use the configuration below, /etc/snort/sample.rules gets loaded.
Which means you are running from /etc/snort.
>
> RULE_PATH = '../rules'
>
> local_rules =
> [[
> include sample.rules
> ]]
>
> ips =
> {
>     rules = local_rules,
> }
>
> How to modify the configuration in order to achieve two goals:
>
> 1. use the sample.rules located under the RULE_PATH directory by 
> specifying the RULE_PATH variable, i.e. include RULE_PATH .. 
> 'sample.rules'?
RULE_PATH = '../rules/'
ips = { include = RULE_PATH .. 'sample.rules' }
>
> 2. have the sample.rules loaded without the ips option?
snort -R ../rules/sample.rules
>
>
> Marcin
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170221/727abb5e/attachment.html>


More information about the Snort-users mailing list