Snort mailing list archives
Re: Snort 3 rules not loading
From: Stephen Stark <logic4life () gmail com>
Date: Thu, 16 Mar 2017 18:33:08 -0400
Thanks. That was it. I must of missed the -Q for in line mode. On Mar 16, 2017 6:21 PM, "Russ" <rucombs () cisco com> wrote:
That should work if you run inline by adding -Q to your command line. How were you injecting the packets with 2.X Snort? On 3/15/17 2:52 PM, Stephen Stark wrote: Hello, I am running snort-3.0.0-a4-228. I am having a problem loading any reject rules. When I start snort it will say "Finished rules." and will not show rule counts. I am guessing they are not being loaded. If I change my rule to be and alert then the rule count shows 1 rule. An example of my rule below works alert tcp any any -> any any (msg:"TCP reddit"; appids:"reddit";) But if i change it to a reject they do not show up in the rule count. This does not work: reject tcp any any -> any any (msg:"TCP Dropped reddit"; appids:"reddit";) Why is this not loading? Snippet's from my snort.lua: I have appid on appid = { app_detector_dir = '/usr/local/cisco', log_stats = true, app_stats_period = 10, } react = { --option change: 'config react:' --> 'page' page = '/etc/snort/block.html', } reject = { reset: 'both', } ips = { include = 'new.rules', } This is whats loaded correct? Loading test.lua: ssh rpc_decode pop binder stream_tcp unified2 network stream_ip dce_http_proxy normalizer telnet ftp_server reputation stream_udp daq detection search_engine modbus classifications ips react appid process event_queue sip dnp3 ssl active dce_http_server dce_tcp dce_smb smtp reject ftp_client http_inspect stream references dns dce_udp imap I even when I converted my rules file with snort2lua it created reject rules but they would not work as well. Anyone have this problem or know if my configuration is not correct? I would like the tcp reset sent to both ends. I had this working in version 2.9.9 using the rule below drop tcp any any -> any any (msg:'UDP Dropped: reddit'; appid: reddit; sid:12000016; rev:1;) Any help would be great! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing listSnort-sigs@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads" <https://snort.org/downloads/#rule-downloads>>emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort 3 rules not loading Stephen Stark (Mar 15)
- Re: Snort 3 rules not loading Russ (Mar 16)
- Re: Snort 3 rules not loading Stephen Stark (Mar 16)
- Re: Snort 3 rules not loading Russ (Mar 16)