[Snort-users] snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips

Marcin Dulak marcin.dulak at ...11827...
Tue Feb 21 07:28:27 EST 2017


On Tue, Feb 21, 2017 at 12:44 PM, Russ <rucombs at ...589...> wrote:

>
>
> On 2/20/17 10:02 PM, Marcin Dulak wrote:
>
> Hi,
>
> snort3: https://github.com/snortadmin/snort3/commit/
> a9f9bd38ced24da8196746074ef60a73d3bf0438
> When I use the configuration below, /etc/snort/sample.rules gets loaded.
>
> Which means you are running from /etc/snort.
>
>
> RULE_PATH = '../rules'
>
> local_rules =
> [[
> include sample.rules
> ]]
>
> ips =
> {
>     rules = local_rules,
> }
>
> How to modify the configuration in order to achieve two goals:
>
> 1. use the sample.rules located under the RULE_PATH directory by
> specifying the RULE_PATH variable, i.e. include RULE_PATH .. 'sample.rules'?
>
> RULE_PATH = '../rules/'
> ips = { include = RULE_PATH .. 'sample.rules' }
>

it looks like one really needs to specify the full path (using conf_dir
defined in /etc/snort/snort.lua).
This works:

# ls -1 /etc/snort/rules/*.rules
/etc/snort/rules/host.rules
/etc/snort/rules/sample.rules

# grep RULE_PATH /etc/snort/snort_defaults.lua | grep -v IN
RULE_PATH = conf_dir .. '/rules'
ips = { include = RULE_PATH .. '/sample.rules', include = RULE_PATH ..
'/host.rules' }

with:
# pwd
/root
# SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort
--daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c /etc/snort/snort.lua


> 2. have the sample.rules loaded without the ips option?
>
> snort -R ../rules/sample.rules
>

so the ips variable is used to load custom rules files, even if in IDS
mode?

Marcin

>
>
> Marcin
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Snort-users mailing listSnort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170221/7e1980ac/attachment.html>


More information about the Snort-users mailing list