Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 3 rule variables

From: Russ <rucombs () cisco com>
Date: Thu, 24 Dec 2015 10:41:05 -0500


On 12/22/15 3:16 AM, Aurimas Rudinskis wrote:

Hi,
I have some custom Snort 2.9.x rules which I've converted to Snort3-a3 using snort2lua. When running "snort -c /etc/snort/snort.lua -R /etc/snort/rules/global.lua" I'm getting errors about "Undefined variable in the string". All variables used in the rules are described in snort.lua configuration. 

Rules:
pass udp $QUALYS any -> $HOME_NET any ( msg:"False Positive - Qualys Internal Scanner IP"; sid:5000005; rev:1; ) pass tcp $QUALYS any -> $HOME_NET any ( msg:"False Positive - Qualys Internal Scanner IP"; sid:5000006; rev:1; ) 

Variable QUALYS in snort.lua:
QUALYS = [[ 1.2.3.4 1.3.4.5 ]]

Errors:
ERROR: /etc/snort/rules/global.lua:29 Undefined variable in the string: $QUALYS. ERROR: /etc/snort/rules/global.lua:30 Undefined variable in the string: $QUALYS. 

Do I need to add variables to Snort 3 rules? How to solve this?
Change the name from QUALYS to QUALYS_PORTS, etc. Snort++ only gives special treatment to Lua variables with PATH, PORT, NET, and SERVER in the name. 

--
LinkÄ—jimai/Regards,
*Aurimas Rudinskis*


------------------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: