[Snort-users] Snort3 does not use config sections

[oleg gv]

Hello,

snort3 does not use config sections which read from config file  (-c
snort.lua).

But when using cmd line - all is ok. So I can load rules only by -R option
, and not by ips = {...} section.

My config:
require("snort_config")
HOME_NET = "any"
EXTERNAL_NET = "any"
dofile("/var/lib/idsm/support/snort_defaults.lua")
dofile("/var/lib/idsm/support/file_magic.lua")
gtp_inspect = default_gtp
file_id = { file_rules = file_magic }
wizard = default_wizard
binder = .... skipped
references = default_references

classifications = default_classifications
daq={}
daq={ module_dirs = { "/usr/local/lib/snort_extra/daqs",
"/usr/local/lib/snort/daqs","/usr/local/daqm/lib/daq" },
RULE_PATH = "/var/cache/snort/rules/"

BUILTIN_RULE_PATH = "/var/cache/snort/builtin_rules/"

PLUGIN_RULE_PATH = "/var/cache/snort/so_rules/"

WHITE_LIST_PATH = "/tmp/whilte.txt"

BLACK_LIST_PATH = "/tmp/black.txt"

daq.input_spec="ethernet1"

alert_full = { file=true }

ips = { enable_builtin_rules = true,

        rules = [[

                include $RULE_PATH/my.txt

        ]]

}

Syslog at starting:

snort[7288]: o")~   Snort++ 3.0.0-243
 snort[7288]: --------------------------------------------------
snort[7288]: Loading /tmp/services/idsm/config:
snort[7288]: #011classifications
snort[7288]: #011gtp_inspect
snort[7288]: #011ips
snort[7288]: #011alert_full
snort[7288]: #011daq
snort[7288]: #011references
snort[7288]: #011binder
snort[7288]: #011wizard
snort[7288]: #011file_id
snort[7288]: Finished /tmp/services/idsm/config.
....

Syslog at exit:
Module Statistics
 --------------------------------------------------
detection                 analyzed: 611
 --------------------------------------------------
 tcp
       bad_tcp4_checksum: 55


-----
BUT when I specify rules in cmd line ( -R ) it reads it. Snort write to
syslog at start, that it read my rules:
snort[8627]: Finished /tmp/services/idsm/config.
snort[8627]: Loading rules:
snort[8627]: Loading /tmp/rules.txt:
snort[8627]: Finished /tmp/rules.txt.
snort[8627]: Finished rules.
snort[8627]: --------------------------------------------------
snort[8627]: rule counts
snort[8627]:        total rules loaded: 1
snort[8627]:                text rules: 1
snort[8627]:             option chains: 1
snort[8627]:             chain headers: 1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180829/36ea3994/attachment.html>