Snort3 Plugin IPS Option: unknown rule keyword

[Jianyu Li via Snort-users <snort-users () lists snort org>]

Hi,


I am trying to write an ips option for dpx plugin.

I copied the snort3_extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc into dpx folder and did the following changes:


root@ubuntudesk1:~/snort_src/snort3_extra/src/inspectors/dpx/src# diff ips_pkt_num2.cc 
../../../ips_options/ips_pkt_num/ips_pkt_num.cc
30c30
< static const char* s_name = "pkt_num2";
---
> static const char* s_name = "pkt_num";
183c183,187
< const BaseApi* ips_pkt_num = &pkt_num_api.base;
---
> SO_PUBLIC const BaseApi* snort_plugins[] =
> {
>     &pkt_num_api.base,
>     nullptr
> };

But when I ran the snort it reported error:
root@ubuntudesk1:~# snort --plugin-path /usr/local/lib/ -c /usr/local/etc/snort/snort.lua -R rules.txt -r iec61850.pcap 
-A cmg
ERROR: rules.txt:1 unknown rule keyword: pkt_num2.

There is only one line in rules.txt:
alert tcp any any -> any any (msg:"Test"; pkt_num2:30; sid: 1000;)

The reason why I put ips_pkt_num.cc into dpx is that I wanted to use the structure(stored in flow) defined in dpx 
plugin just like what they did in modbus inspector.

It seems like this ips option wasn't loaded by snort, any idea why this error occur?

Thanks in advance!

Li


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette