Snort mailing list archives
Network variables are not preserved when using LightSPD rules
From: Dheeraj Gupta via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 26 Sep 2024 15:41:51 +0530
Hi,
I have recently been experimenting with LightSPD rules with the aim of
switching to using them in our production sensor. Thanks to earlier
responders on the list, I have a clean workflow for deploying and updating
the rule files My workflow, in short, is:
- Create a stub file containing all custom snort.lua settings (alert_json,
reputation, daq etc.). This file gets changed very infrequently and
over-rides settings as defined in lightspd policies
- Unzip the LightSPD tarball and parse manifest to identify correct policy
and so rules path
- Create a soft-link at /etc/snort/sorules pointing to shared object rules
of unzipped lightspd tarball
- Recreate snort.lua by adding
include(path-to-policy-in-lightspd-tarball.lua) as first line and then
concatenating rest of stub file containing all the settings.
- Run snort with generated snort.lua and --plugin-path pointing to
/etc/snort/sorules
This setup is working great but I am unable to set the network variables
(HOME_NET etc.) correctly using this workflow.
The problem as far as I can see is that the file
policies/common/snort_variables.lua in the lightspd tarball hard-codes the
variables without allowing users to over-ride them before the script is
called.
To get around this, in the stub file I have following lines at the very top
HOME_NET = 'x.x.x.x/z'
DNS_SERVERS = 'y.y.y.y'
EXTERNAL_NET = 'any'
FTP_SERVERS = HOME_NET
HTTP_SERVERS = HOME_NET
SIP_SERVERS = HOME_NET
SMTP_SERVERS = HOME_NET
SQL_SERVERS = HOME_NET
SSH_SERVERS = HOME_NET
TELNET_SERVERS = HOME_NET
nets =
{
HOME_NET = HOME_NET,
EXTERNAL_NET = EXTERNAL_NET,
DNS_SERVERS = DNS_SERVERS,
FTP_SERVERS = FTP_SERVERS,
HTTP_SERVERS = HTTP_SERVERS,
SIP_SERVERS = SIP_SERVERS,
SMTP_SERVERS = SMTP_SERVERS,
SQL_SERVERS = SQL_SERVERS,
SSH_SERVERS = SSH_SERVERS,
TELNET_SERVERS = TELNET_SERVERS,
}
ips.variables.nets = nets
I am essentially duplicating what snort-variables.lua does. To also
duplicate PORTS variables would add even more complexity. Also if lightspd
introduces a new variable, correctly configuring it would mean tinkering
with stub.
A better solution can be to have some sort of checks in
snort-variables.lua, as bundled with lightspd, so that any variables that
are already defined are not reset to defaults.
Is such a solution feasible or is there some other workaround available for
this?
Regards,
Dheeraj
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Network variables are not preserved when using LightSPD rules Dheeraj Gupta via Snort-sigs (Sep 26)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-sigs (Sep 30)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Dheeraj Gupta via Snort-sigs (Sep 26)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-sigs (Sep 30)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Dheeraj Gupta via Snort-sigs (Sep 26)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Dheeraj Gupta via Snort-sigs (Sep 26)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-sigs (Sep 30)