Snort mailing list archives
Re: [Snort-users] Network variables are not preserved when using LightSPD rules
From: "Oleksii Shumeiko -X \(oshumeik - SOFTSERVE INC at Cisco\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 26 Sep 2024 11:13:52 +0000
I think, you can combine approaches.
Set Lua variables before the script (it should pick them up and configure default values for all related IPS
variables), then override targeted variables after the script:
HOME_NET = 'x.x.x.x/z'
EXTERNAL_NET = 'any'
include(policy.lua)
ips.variables.net.DNS_SERVERS = 'y.y.y.y'
ips.variables.net.FOO_SERVERS = 'z.z.z.z' -- any new variable should be changed thoughtfully (not overridden
automatically).
On 26 Sep 2024, at 14:06, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote:
Hi Oleksii,
That is a good idea!
The only downside is that to change HOME_NET would mean changing all connected variables (like you have shown in your
example). Also if new FOO_SERVERS variable gets introduced, it won't be set correctly until I change the stub and
account for it.
What I had in mind is setting HOME_NET='x.x.x.x/y' at top of snort.lua file and then when
include('whatever-policy.lua') happens, the `snort_variables.lua` preserves any variables that might already be defined
while setting others.
Thanks,
Dheeraj
On Thu, 26 Sept 2024 at 16:18, Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik () cisco
com<mailto:oshumeik () cisco com>> wrote:
Hi,
over-ride them before the script is called
You can override variables after the script is called. Just put the following lines at the end of the main config file (snort.lua): ips.variables.net.HOME_NET = 'x.x.x.x/z' ips.variables.net.DNS_SERVERS = 'y.y.y.y' ips.variables.net.EXTERNAL_NET = 'any' ips.variables.net.FTP_SERVERS = HOME_NET ips.variables.net.HTTP_SERVERS = HOME_NET ips.variables.net.SIP_SERVERS = HOME_NET ips.variables.net.SMTP_SERVERS = HOME_NET ips.variables.net.SQL_SERVERS = HOME_NET ips.variables.net.SSH_SERVERS = HOME_NET ips.variables.net.TELNET_SERVERS = HOME_NET Port variables can be overridden the same way: ips.variables.ports.NN = 12345 Regards, Alexey On 26 Sep 2024, at 13:11, Dheeraj Gupta via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> wrote: over-ride them before the script is called
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Network variables are not preserved when using LightSPD rules Dheeraj Gupta via Snort-sigs (Sep 26)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-sigs (Sep 30)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Dheeraj Gupta via Snort-sigs (Sep 26)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-sigs (Sep 30)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Dheeraj Gupta via Snort-sigs (Sep 26)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Dheeraj Gupta via Snort-sigs (Sep 26)
- Re: [Snort-users] Network variables are not preserved when using LightSPD rules Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-sigs (Sep 30)