Re: Error using latest ruleset with Snort++

[Russ via Snort-users <snort-users () lists snort org>]

On 7/12/17 8:03 PM, Jim Campbell wrote:
> I am moving from Snort 2.9.9.0 to Snort 3. I used Snort 2.9.9.0 for 
> quite a few months but it began to have problems so I am moving to 
> Snort 3.
>
> On 28 June 2017 there was a thread with the Subject as above. I am 
> experiencing a similar problem but with somewhat different circumstances.
>
> Just today, I formatted my hard drive on the Snort machine, Installed 
> Ubuntu 16.04 and using Noah's cookbook described in 
> "https://sublimerobots.com/2017/01/installing-snort3-in-ubuntu/"; 
> installed Snort 3. The installation went well and everything worked as 
> expected till the "snort -V" step. The installation of Hyperscan 
> seemed to go well but Hyperscan didn't appear in the list resulting 
> from "snort -V".
>
> The next step uses the default configuration file and ruleset. That 
> performed as expected. I next used snort2lua to convert my Snort 
> 2.9.9.0 configuration file to the lua format. I used the following 
> command to test the new configuration file:
>
> |/opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R 
> /opt/snort/etc/snort/sample.rules
>
> I got an immediate FATAL error:
>
> Loading /opt/snort/etc/snort/snort.lua:
> FATAL: can't init /opt/snort/etc/snort/snort.lua: 
> /opt/snort/etc/snort/sample.rules:1: '=' expected near 'tcp'
> Fatal Error, Quitting..
> |
|This looks like you are trying to load text rules into Lua.|
> |
> In the snort.lua configuration file immediately under the 
> BLACK_LIST_PATH = '/opt/snort/etc/snort/iplists'
>
> is: "include '/opt/snort/etc/snort/sample.rules'"
> |
|And that would explain it.  This line should be deleted because (a) it 
doesn't work like that and (b) you are loading the rules file with the 
-R command line argument.

Alternatively, if you want to specify the rules file in Lua, that can be 
done with:

    ips = { include = '|||/opt/snort/etc/snort/|sample.rules' }

In which case delete the -R argument.
|
> |
> If I comment out this line and re-ran the test every rule gave the 
> following kind of error:
>
> ERROR: /opt/snort/etc/snort/sample.rules:3974 invalid argument 
> classtype: = unsuccessful-user
> |
|This looks like you don't have classifications defined.  The default 
conf does it this way:

    -- near the top:

    conf_dir = os.getenv('SNORT_LUA_PATH')

    if ( not conf_dir ) then
        conf_dir = '.'
    end

    dofile(conf_dir .. '/snort_defaults.lua')

    -- ... near the bottom:

    classifications = default_classifications

Make sure you have those bits in your conf and that you have set 
SNORT_LUA_PATH in your environment to point to the directory where 
snort_defaults.lua is installed.  In your case it should be done like this:

    export SNORT_LUA_PATH=|||/opt/snort/etc/snort

You should be able to just the default config and rules w/o 
modification.  You could test that the defaults work first before making 
your changes.
||
> |
> Everything else worked correctly.
>
> Is there a workaround that I can use to get around this error?
>
> Thanks,
>
> Jim Campbell
> |
> --
> "We are not human beings having a spiritual experience;
> we are spiritual beings having a human experience."
> ---Pierre Teilhard de Chardin
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!