Snort mailing list archives
Re: Snort 3 Config File Question (2)
From: Marcin Dulak via Snort-users <snort-users () lists snort org>
Date: Thu, 20 Jul 2017 03:44:39 +0200
On Wed, Jul 19, 2017 at 8:37 PM, Marcin Dulak <marcin.dulak () gmail com> wrote:
On Wed, Jul 19, 2017 at 8:05 PM, Jim Campbell <jim () w4bqp net> wrote:I can run Snort 3 from a command-line on my login using the following: sudo /opt/snort/bin/snort --daq afpacket -Q -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/snort3.rules -i enp1s0:enp4s0 -A unified2 I created a systemD startup script as per the instructions at: http://sublimerobots.com/2017/01/snort-2-9-9-x-ubuntu-systemd-scripts/ My systemD script for Snort is as follows: [Unit] Description=Snort NIPS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/opt/snort/bin/snort --daq afpacket -Q -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/snort3.rules -i enp1s0:enp4s0 -A unified2 [Install] WantedBy=multi-user.target Note: I'm using a similar script for Barnyard2 and it works with no problem. When I (re)start snort with the command "sudo systemctl restart snort" I get the following error: Jul 19 13:25:31 jim-IPS snort[8373]: FATAL: can't init /opt/snort/etc/snort/snort.lua: error loading module 'snort_config' from file '/usr/lib/x86_64-linux-gnu/lua/5.1/snort_config.so': I have snort_config in /opt/snort/etc/snort. There is a snort_config.lua in /opt/snort/include/snort/lua. From printenv: - SNORT_LUA_PATH=/opt/snort/etc/snort/ - LUA_PATH=/opt/snort/include/snort/lua/?.lua;; In my environment Snort is getting the correct environment variables. In the systemD environment it isn't. QUESTION: How do I pass the correct environment variables to systemD.https://github.com/marcindulak/vagrant-snort- nfqueue-tutorial-centos7/blob/master/spec/snort/snort.service
instead of just a link it's better to have also the example. The file contents below is to be installed as /usr/lib/systemd/system/snort@ .service and used with: systemctl start snort@enp0s8 where enp0s8 is the interface name. There is also a good example of snort with systemd at https://wiki.archlinux.org/index.php/snort Description=Snort on '%I' After=syslog.target network.target [Service] Restart=on-failure # root needed for nfq inline User=root Group=snort #We probably want to disable gro etc. #ExecStartPre=/sbin/ethtool -K %I tx off rx off tso off gso off gro off Environment=LUA_PATH=/usr/include/snort/lua/?.lua Environment=SNORT_LUA_PATH=/etc/snort ExecStart=/usr/sbin/snort -d -Q --daq-dir /usr/lib64/daq --daq nfq -l /var/log/snort -c /etc/snort/snort.lua -A unified2 -v --plugin-path LIBDIR/snort_extra ExecStartPre=/bin/sh -c '/usr/sbin/iptables -t filter -C INPUT -i %I -j NFQUEUE --queue-num 0 --queue-bypass || /usr/sbin/iptables -t filter -I INPUT -i %I -j NFQUEUE --queue-num 0 --queue-bypass' ExecStartPre=/bin/sh -c '/usr/sbin/iptables -t filter -C OUTPUT -o %I -j NFQUEUE --queue-num 0 --queue-bypass || /usr/sbin/iptables -t filter -I OUTPUT -o %I -j NFQUEUE --queue-num 0 --queue-bypass' ExecStopPost=/bin/sh -c '/usr/sbin/iptables -t filter -C INPUT -i %I -j NFQUEUE --queue-num 0 --queue-bypass && /usr/sbin/iptables -t filter -D INPUT -i %I -j NFQUEUE --queue-num 0 --queue-bypass' ExecStopPost=/bin/sh -c '/usr/sbin/iptables -t filter -C OUTPUT -o %I -j NFQUEUE --queue-num 0 --queue-bypass && /usr/sbin/iptables -t filter -D OUTPUT -o %I -j NFQUEUE --queue-num 0 --queue-bypass' [Install] Alias=multi-user.target.wants/snort@%i.service Marcin
MarcinThank you, Jim -- "We are not human beings having a spiritual experience; we are spiritual beings having a human experience." ---Pierre Teilhard de Chardin _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 3 Config File Question (2) Jim Campbell (Jul 19)
- Re: Snort 3 Config File Question (2) Marcin Dulak via Snort-users (Jul 19)
- Re: Snort 3 Config File Question (2) Marcin Dulak via Snort-users (Jul 19)
- Re: Snort 3 Config File Question (2) Stéphane Descary via Snort-users (Jul 19)
- Re: Snort 3 Config File Question (2) Jim Campbell (Jul 19)
- Re: Snort 3 Config File Question (2) Marcin Dulak via Snort-users (Jul 19)