Snort mailing list archives

Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips

From: Russ <rucombs () cisco com>
Date: Tue, 21 Feb 2017 06:44:07 -0500



On 2/20/17 10:02 PM, Marcin Dulak wrote:

Hi,
snort3:https://github.com/snortadmin/snort3/commit/a9f9bd38ced24da8196746074ef60a73d3bf0438
When I use the configuration below, /etc/snort/sample.rules gets loaded.

Which means you are running from /etc/snort.

RULE_PATH = '../rules'

local_rules =
[[
include sample.rules
]]

ips =
{
    rules = local_rules,
}

How to modify the configuration in order to achieve two goals:
1. use the sample.rules located under the RULE_PATH directory byspecifying the RULE_PATH variable, i.e. include RULE_PATH ..'sample.rules'?

RULE_PATH = '../rules/'
ips = { include = RULE_PATH .. 'sample.rules' }


2. have the sample.rules loaded without the ips option?

snort -R ../rules/sample.rules



Marcin


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Marcin Dulak (Feb 20)
- Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Russ (Feb 21)
  - Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Marcin Dulak (Feb 21)
    - Re: snort3: snort_defaults.lua pattern to include custom rules files and the meaning of ips Russ (Feb 21)