[Snort-users] snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips

Russ rucombs at ...589...
Tue Feb 21 08:14:39 EST 2017



On 2/21/17 7:28 AM, Marcin Dulak wrote:
>
>
> On Tue, Feb 21, 2017 at 12:44 PM, Russ <rucombs at ...589... 
> <mailto:rucombs at ...589...>> wrote:
>
>
>
>     On 2/20/17 10:02 PM, Marcin Dulak wrote:
>>     Hi,
>>
>>     snort3:
>>     https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438
>>     <https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438>
>>     When I use the configuration below, /etc/snort/sample.rules gets
>>     loaded.
>     Which means you are running from /etc/snort.
>>
>>     RULE_PATH = '../rules'
>>
>>     local_rules =
>>     [[
>>     include sample.rules
>>     ]]
>>
>>     ips =
>>     {
>>         rules = local_rules,
>>     }
>>
>>     How to modify the configuration in order to achieve two goals:
>>
>>     1. use the sample.rules located under the RULE_PATH directory by
>>     specifying the RULE_PATH variable, i.e. include RULE_PATH ..
>>     'sample.rules'?
>     RULE_PATH = '../rules/'
>     ips = { include = RULE_PATH .. 'sample.rules' }
>
>
> it looks like one really needs to specify the full path (using 
> conf_dir defined in /etc/snort/snort.lua).
> This works:
>
> # ls -1 /etc/snort/rules/*.rules
> /etc/snort/rules/host.rules
> /etc/snort/rules/sample.rules
>
> # grep RULE_PATH /etc/snort/snort_defaults.lua | grep -v IN
> RULE_PATH = conf_dir .. '/rules'
> ips = { include = RULE_PATH .. '/sample.rules', include = RULE_PATH .. 
> '/host.rules' }
This will only get one of those files loaded, depending on which 
assignment statement Lua runs with.  It is not deterministic and it is 
not something Snort can detect.

To get multiple files you will need to put additional includes in the 
ips.include file, put the includes in ips.rules, and/or use -R. Check 
for the "Loading <file>" and "Finished <file>" startup output.
>
> with:
> # pwd
> /root
> # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua 
> snort --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c 
> /etc/snort/snort.lua
>
>>
>>     2. have the sample.rules loaded without the ips option?
>     snort -R ../rules/sample.rules
>
>
> so the ips variable is used to load custom rules files, even if in IDS 
> mode?
Yes
>
> Marcin
>
>>
>>
>>     Marcin
>>
>>
>>     ------------------------------------------------------------------------------
>>     Check out the vibrant tech community on one of the world's most
>>     engaging tech sites, SlashDot.org!http://sdm.link/slashdot
>>
>>     _______________________________________________
>>     Snort-users mailing list
>>     Snort-users at lists.sourceforge.net
>>     <mailto:Snort-users at lists.sourceforge.net>
>>     Go to this URL to change user options or unsubscribe:
>>     https://lists.sourceforge.net/lists/listinfo/snort-users
>>     <https://lists.sourceforge.net/lists/listinfo/snort-users>
>>     Snort-users list archive:
>>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>     <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
>>
>>     Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>     ------------------------------------------------------------------------------
>     Check out the vibrant tech community on one of the world's most
>     engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>     _______________________________________________ Snort-users
>     mailing list Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net> Go to this URL to
>     change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     <https://lists.sourceforge.net/lists/listinfo/snort-users>
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>     <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news! 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170221/0206715f/attachment.html>


More information about the Snort-users mailing list