Re: improper warning with snort 3.0.1 b2

["Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>]

Hey Noah,

The default snort.lua should have, ignoring comments, appid = { }.  That will generate this warning:

    WARNING: install/etc/snort/snort.lua: appid: app_detector_dir not configured; no support for appids in rules.

It is a warning, not fatal, and it is output because appid has limited functionality without any Lua detectors.

Russ

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Noah Dietrich <noah_dietrich () 86penny org>
Date: Saturday, April 25, 2020 at 12:54 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] improper warning with snort 3.0.1 b2

I'm not sure the following warning should be displayed when running snort 3 with OpenAppID enabled.  I suspect it will 
confuse less technical users and users that aren't experienced with OpenAppID.  It might seem like a small thing, but I 
tend to get emails from people following the Ubuntu Snort++ guide who get stuck because they think the below warning is 
a fatal error.

The warning is: WARNING: appid: no lua detectors found in directory '/usr/local/lib/custom/lua/*'

Running snort as follows:
snort -c /usr/local/etc/snort/snort.lua --warn-all

only modification to the default snort.lua is to enabled OpenAppID:
appid =
 {
     app_detector_dir = '/usr/local/lib',
}

the output:
...
Finished /usr/local/etc/snort/snort.lua:
WARNING: appid: no lua detectors found in directory '/usr/local/lib/custom/lua/*'
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 1 warnings).
o")~   Snort exiting


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!