Re: [Snort-users] Network variables are not preserved when using LightSPD rules

[Dheeraj Gupta via Snort-sigs <snort-sigs () lists snort org>]

On Thu, 26 Sept 2024 at 16:43, Oleksii Shumeiko -X (oshumeik - SOFTSERVE
INC at Cisco) <oshumeik () cisco com> wrote:

> I think, you can combine approaches.
>
> Set Lua variables before the script (it should pick them up and configure
> default values for all related IPS variables), then override targeted
> variables after the script:
>
> HOME_NET = 'x.x.x.x/z'
> EXTERNAL_NET = 'any'
>
> include(policy.lua)

This does not work because include(policy.lua) contains
include(snort_variables.lua) which resets HOME_NET and EXTERNAL_NET to any

E.g. suppose we create snort3.lua

HOME_NET = '10.0.0.0/24'
DNS_SERVERS = '10.0.0.2'

include('/etc/snort_lightspd/lightspd/policies/3.1.0.0-0/balanced-security-and-connectivity.lua')



Running snort with -T and --dump-config

(/usr/sbin/snort --pedantic -y -c /etc/snort_lightspd/snort3.lua -i ens10
--plugin-path /etc/snort_lightspd/sorules/ -s 65535 -l /snort/ -u snort -g
snort --id-zero --id-subdir --run-prefix 'snort_' -T --dump-config all | jq
-Mr ".[0].config.ips.variables.nets")
{
  "DNS_SERVERS": "any",
  "EXTERNAL_NET": "any",
  "FTP_SERVERS": "any",
  "HOME_NET": "any",
  "HTTP_SERVERS": "any",
  "SIP_SERVERS": "any",
  "SMTP_SERVERS": "any",
  "SQL_SERVERS": "any",
  "SSH_SERVERS": "any",
  "TELNET_SERVERS": "any"
}

Thanks,
Dheeraj

> On 26 Sep 2024, at 14:06, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote:
>
> Hi Oleksii,
>
> That is a good idea!
>
> The only downside is that to change HOME_NET would mean changing all
> connected variables (like you have shown in your example). Also if new
> FOO_SERVERS variable gets introduced, it won't be set correctly until I
> change the stub and account for it.
>
> What I had in mind is setting HOME_NET='x.x.x.x/y' at top of snort.lua
> file and then when include('whatever-policy.lua') happens, the
> `snort_variables.lua` preserves any variables that might already be defined
> while setting others.
>
> Thanks,
> Dheeraj
>
> On Thu, 26 Sept 2024 at 16:18, Oleksii Shumeiko -X (oshumeik - SOFTSERVE
> INC at Cisco) <oshumeik () cisco com> wrote:
>
> > Hi,
> >
> > > over-ride them before the script is called
> >
> > You can override variables *after* the script is called.
> > Just put the following lines at the end of the main config file
> > (snort.lua):
> >
> > ips.variables.net.HOME_NET = 'x.x.x.x/z'
> > ips.variables.net.DNS_SERVERS = 'y.y.y.y'
> > ips.variables.net.EXTERNAL_NET = 'any'
> > ips.variables.net.FTP_SERVERS = HOME_NET
> > ips.variables.net.HTTP_SERVERS = HOME_NET
> > ips.variables.net.SIP_SERVERS = HOME_NET
> > ips.variables.net.SMTP_SERVERS = HOME_NET
> > ips.variables.net.SQL_SERVERS = HOME_NET
> > ips.variables.net.SSH_SERVERS = HOME_NET
> > ips.variables.net.TELNET_SERVERS = HOME_NET
> >
> > Port variables can be overridden the same way:
> > ips.variables.ports.NN = 12345
> >
> >
> > Regards,
> > Alexey
> >
> > On 26 Sep 2024, at 13:11, Dheeraj Gupta via Snort-users <
> > snort-users () lists snort org> wrote:
> >
> > over-ride them before the script is called
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!