Snort mailing list archives
Re: Snort-devel Digest, Vol 57, Issue 9
From: Dorian ROSSE via Snort-devel <snort-devel () lists snort org>
Date: Fri, 8 Apr 2022 19:45:32 +0000
Dear Oleksandr, you have the truth for snort_defaults.lua if i run with tweaks and balanced option it run but i am don't understand from the shell how many rules i run : 'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort_defaults.lua --tweaks balanced -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort_defaults.lua: active alerts daq decode host_cache host_tracker hosts network packets process search_engine so_proxy trace output Finished /usr/local/etc/snort/snort_defaults.lua: -------------------------------------------------- pcap DAQ configured to passive. Commencing packet processing ++ [0] enp0s25 ' but the options tweaks and balanced don't success to run with snort.lua file : 'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --tweaks balanced -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading file_magic.lua: Finished file_magic.lua: Loading inline.lua: Finished inline.lua: Loading talos.lua: Finished talos.lua: Loading balanced.lua: Finished balanced.lua: snort dnp3 dce_smb dce_tcp dce_udp dce_http_proxy dce_http_server ftp_server http_inspect output alert_json ips classifications references binder wizard detection reputation Processing blocklist file /usr/local/etc/snort/../lists/default.blocklist Reputation entries loaded: 1216, invalid: 0, re-defined: 0 (from file /usr/local/etc/snort/../lists/default.blocklist) appid file_policy file_id http2_inspect ftp_data ftp_client smtp gtp_inspect telnet ssl ssh sip rpc_decode pop normalizer netflow modbus iec104 imap dns back_orifice stream_file stream_udp stream_icmp stream_ip stream profiler alert_talos so_proxy search_engine process packets network trace active alerts daq decode host_cache host_tracker hosts stream_tcp stream_user Finished /usr/local/etc/snort/snort.lua: -------------------------------------------------- rule counts total rules loaded: 600 builtin rules: 600 option chains: 600 chain headers: 1 -------------------------------------------------- port rule counts tcp udp icmp ip any 600 0 0 0 total 600 0 0 0 -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 600 0 600 /usr/local/etc/snort/snort.lua -------------------------------------------------- dump:pcap DAQ configured to inline. Commencing packet processing Couldn't construct a DAQ instance: pcap_daq_instantiate: Couldn't open file '' for reading: No such file or directory (-2) -------------------------------------------------- Packet Statistics -------------------------------------------------- Module Statistics -------------------------------------------------- Summary Statistics -------------------------------------------------- timing runtime: 00:00:00 seconds: 0.000235 o")~ Snort exiting' and that fail too on snort.lua with tweaks and connectivity thus snort_defaults with tweaks and connectivity run well : 'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --tweaks connectivity -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading max_detect.lua: ERROR: max_detect.lua:1 can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/max_detect.lua:9: attempt to index global 'ftp_server' (a nil value) -------------------------------------------------- pcap DAQ configured to passive. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting..' with max_detect : 'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --tweaks max_detect -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading max_detect.lua: ERROR: max_detect.lua:1 can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/max_detect.lua:9: attempt to index global 'ftp_server' (a nil value) -------------------------------------------------- pcap DAQ configured to passive. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting..' with security : 'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --tweaks security -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading security.lua: ERROR: security.lua:1 can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/security.lua:8: attempt to index global 'ftp_server' (a nil value) -------------------------------------------------- pcap DAQ configured to passive. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting..' i have sent a new e-mail on three snort list because i haven't understand some designing for run snort.lua without maxt-detect, security, balanced and connectivity, finaly i have understand how to run snort_default with option (thank you) but i haven't understand why i have only 600 rules with your snort.lua when i was success to launch all rules thus i hope have a smart answer by another worker cisco, have a nice weekend from the france the sun is fallen and it is twenty-two to quarter, Regards. Dorian ROSSE. ________________________________ De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Envoyé : vendredi 8 avril 2022 20:59 À : Dorian ROSSE <dorianbrice () hotmail fr> Cc : snort-devel () lists snort org <snort-devel () lists snort org> Objet : Re: Snort-devel Digest, Vol 57, Issue 9 Dorian, There are four policy configuration files provided in Snort3 GitHub repo (under "lua" directory). Each of them provides a specific level of how deeply inspection will be performed. However, the cost to pay is Snort3 performance which reflects on network throughput when traffic goes through Snort3. The list of policies (from "faster" to "slower"): 1. connectivity.lua 2. balanced.lua 3. security.lua 4. max_detect.lua However, those files are not designed to be included as a standalone file. At the first, your custom configuration file should contain inclusion of "snort.lua" (that one from Snort3 repo), and then – the inclusion of policy config file. Another way to proceed is tweaking configuration form CLI as follows: snort -c snort.lua --tweaks balanced If you don’t need any policy just load "snort.lua" file only. To build your custom configuration, crating configuration file from the scratch is a good idea, but don’t forget to include "snort_defaults.lua" in this case. It contains a lot of common useful things for any meaningful configuration. To summarize: 1. You need basic configuration – use provided "snort.lua" configuration file 2. You need to adjust the basic configuration with some policy to tweak the performance hit – use provided "snort.lua" with one of the provided policies 3. You need some specific configuration – craft your own configuration file. Optionally, include provided "snort_defaults.lua" to get some standard things on board Addressing your questions about config loading errors, the fix should be to follow my recommendations above on how to go with configuring Snort3. I suspect your config file contains multiple inclusions of policies, misses provided "snort.lua" and maybe some other inconsistencies in inclusion ordering or wrong inclusions/loaded files. You can use provided "snort.lua" file as a template to craft custom config. Just edit it by uncommenting/commenting modules there or making additions. Do not include policies if you don’t need them. Otherwise, use CLI command above to get policy tweaks in use. Thanks, Oleksandr Serhiienko <oserhiie () cisco com> From: Dorian ROSSE <dorianbrice () hotmail fr> Date: Friday, 8 April 2022, 19:28 To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: RE: Snort-devel Digest, Vol 57, Issue 9 Oleksandr, This must be a good thing th seek what is bad on balanced.lua, if i run 'snort -c the_snort_balanced_lua' i fall on the same error but i have run only balanced.lua, can you repair the files of may i ask to another cisco worker ? the error more bottom : 'snort -c /usr/local/etc/snort/balanced.lua -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/balanced.lua: ERROR: /usr/local/etc/snort/balanced.lua: can't init /usr/local/etc/snort/balanced.lua: /usr/local/etc/snort/balanced.lua:10: attempt to index global 'http_inspect' (a nil value) -------------------------------------------------- pcap DAQ configured to passive. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting..' thank you in advance to repair the file, Regards. Dorian ROSSE. ________________________________ De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Envoyé : mardi 5 avril 2022 13:01 À : Dorian ROSSE <dorianbrice () hotmail fr> Cc : snort-devel () lists snort org <snort-devel () lists snort org> Objet : Re: Snort-devel Digest, Vol 57, Issue 9 Dorian, You should include only one policy at a time (balanced.lua, max-detect.lua, etc.). Do not include multiple policies in one file, it doesn’t make sense. Thanks, Oleksandr Serhiienko <oserhiie () cisco com> From: Dorian ROSSE <dorianbrice () hotmail fr> Date: Monday, 4 April 2022, 10:41 To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: RE: Snort-devel Digest, Vol 57, Issue 9 Dear Oleksandr, Now I fall on following error : 'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading file_magic.lua: Finished file_magic.lua: Loading balanced.lua: ERROR: balanced.lua:1 can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/balanced.lua:10: attempt to index global 'http_inspect' (a nil value) -------------------------------------------------- pcap DAQ configured to passive. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting..' I have attached the file in attachment, I have readen the error witrhout understand why this error, thank you in advance for your time, have a nice week, Regards. Dorian ROSSE. ________________________________ De : Dorian ROSSE <dorianbrice () hotmail fr> Envoyé : lundi 4 avril 2022 08:27 À : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc : snort-devel () lists snort org <snort-devel () lists snort org> Objet : Re: Snort-devel Digest, Vol 57, Issue 9 Dear oleksandr, This should be a line of command like these : 'include snort_defaults.lua' I am not understand why I have more than one time this line but I will check this, Thanks you in advance for your time, Have a nice week, Regards. Dorian Rosse. ________________________________ From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Sent: Monday, April 4, 2022 7:46:25 AM To: Dorian ROSSE <dorianbrice () hotmail fr> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: Snort-devel Digest, Vol 57, Issue 9 Hello Dorian, You probably have multiple inclusions of 'snort_defaults.lua' in your snort.lua, which is causing the loop. It’s enough to include it, as any other file you need to include, only once. Please, avoid multiple inclusions of the same files in your 'snort.lua'. Thanks, Oleksandr Serhiienko <oserhiie () cisco com> From: Dorian ROSSE <dorianbrice () hotmail fr> Date: Sunday, 3 April 2022, 18:51 To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: Snort-devel Digest, Vol 57, Issue 9 Dear Oleksandr, I launch the line of command following : 'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b' I can't open alert_json.txt i haven't the rights and the line of command show more top happening thoses loop in the window for crash on an error unknown : 'Finished snort_defaults.lua: Loading snort.lua: Loading snort_defaults.lua: ERROR: snort_defaults.lua:1 can't init /usr/local/etc/snort/snort.lua: stack overflow -------------------------------------------------- pcap DAQ configured to passive. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting..' thank you in advance to answer what do for secure my setup because i am not understand why the window of the line of command is crashed too why i don't have acess to the alert_json.txt, Regards. Dorian Rosse. ________________________________ From: Dorian ROSSE <dorianbrice () hotmail fr> Sent: Saturday, April 2, 2022 4:23:55 PM To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: RE: Snort-devel Digest, Vol 57, Issue 9 Dear Oleksandr, I launch the line of command following : 'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b' I can't open alert_json.txt i haven't the rights and the line of command show more bottom happening thoses loop in the window : 'Finished snort_defaults.lua: Loading snort.lua: Loading snort_defaults.lua:' thank you in advance to answer what do for secure my setup because i am not understand why the window of the line of command is mad too why i don't have acess to the alert_json.txt, Regards. Dorian ROSSE. ________________________________ De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Envoyé : lundi 28 mars 2022 11:15 À : Dorian ROSSE <dorianbrice () hotmail fr> Cc : snort-devel () lists snort org <snort-devel () lists snort org> Objet : Re: Snort-devel Digest, Vol 57, Issue 9 Dorian, Issue #1 (line 196): Unexpected closure of ips table. All the config parameters below this line (enable_builtin_rules, variables) must be a part of ips table (ips configuration). Also, "include RULE_PATH" is Snort2 config. For Snort3, you should use ips.variables.paths configuration. Please, refer to "default_variables" table in snort_defaults.lua as an example of syntax. You basically don’t need to configure variables manually since you’re using default_variables from snort_defaults.lua. Issue #2 (line 431): Missed equality sign for variables (should be variables = default_variables). Issue #3 (line 493): Redundant equality sign before alert_json. Attached configuration file with correct syntax. Please, check your config for Lua syntax correctness next time you’re using custom configuration. Thanks, Oleksandr Serhiienko <oserhiie () cisco com> From: Dorian ROSSE <dorianbrice () hotmail fr> Date: Friday, 25 March 2022, 17:36 To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: RE: Snort-devel Digest, Vol 57, Issue 9 Oleksandr, The file asked in attachment, thank you in advance for your time, Regards. Dorian ROSSE. ________________________________ De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Envoyé : vendredi 25 mars 2022 16:17 À : Dorian ROSSE <dorianbrice () hotmail fr> Cc : snort-devel () lists snort org <snort-devel () lists snort org> Objet : Re: Snort-devel Digest, Vol 57, Issue 9 Dorian, The syntax looks correct… Could you attach your "snort.lua" file and sent it here? Thanks, Oleksandr Serhiienko <oserhiie () cisco com> From: Dorian ROSSE <dorianbrice () hotmail fr> Date: Friday, 25 March 2022, 16:09 To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: RE: Snort-devel Digest, Vol 57, Issue 9 Oleksandr, your code don't work like the happening when I check the snort.lua : '''snort -c /usr/local/etc/snort/snort.lua -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: ERROR: /usr/local/etc/snort/snort.lua: can't load /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/snort.lua:493: '=' expected near 'alert_json' -------------------------------------------------- pcap DAQ configured to passive. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting..''' the line of command of the snort.lua : '''-- 7. configure outputs --------------------------------------------------------------------------- -- event logging -- you can enable with defaults from the command line with -A <alert_type> -- uncomment below to set non-default configs --alert_csv = { } --alert_fast = { } --alert_full = { } --alert_sfsocket = { } --alert_syslog = { } --unified2 = { } alert_json = { fields = [[ timestamp pkt_num proto pkt_len src_ap dst_ap rule action ]] } -- packet logging -- you can enable with defaults from the command line with -L <log_type> --log_codecs = { } --log_hext = { } --log_pcap = { } -- additional logs --packet_capture = { } --file_log = { }''' thank you in advance to help myself use alert json, Regards. Dorian ROSSE. ________________________________ De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Envoyé : vendredi 25 mars 2022 14:24 À : Dorian ROSSE <dorianbrice () hotmail fr> Cc : snort-devel () lists snort org <snort-devel () lists snort org> Objet : Re: Snort-devel Digest, Vol 57, Issue 9 Dorian, You still can use alert_json, but you should follow the correct syntax for it. Example to follow: “ alert_json = { fields = [[ timestamp pkt_num proto pkt_len src_ap dst_ap rule action ]] } “ Thanks, Oleksandr Serhiienko <oserhiie () cisco com> From: Dorian ROSSE <dorianbrice () hotmail fr> Date: Friday, 25 March 2022, 14:50 To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: Snort-devel Digest, Vol 57, Issue 9 Oleksandr, If I don't use alert JSON how to use alert syslog ? Thanks you in advance for your answer, Regards. Dorian Rosse. ________________________________ From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Sent: Friday, March 25, 2022 1:17:39 PM To: Dorian ROSSE <dorianbrice () hotmail fr> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: Snort-devel Digest, Vol 57, Issue 9 Dorian, These lines are incorrect: “ {} alert_json = file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \ eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \ pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \ target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp', “ You should delete them or comment out. It should help. Thanks, Oleksandr Serhiienko <oserhiie () cisco com> From: Dorian ROSSE <dorianbrice () hotmail fr> Date: Friday, 25 March 2022, 11:41 To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: RE: Snort-devel Digest, Vol 57, Issue 9 Oleksandr, I am lucky my weekend is now, I have copy past the chapter where there is the error : '''--------------------------------------------------------------------------- -- 7. configure outputs --------------------------------------------------------------------------- -- event logging -- you can enable with defaults from the command line with -A <alert_type> -- uncomment below to set non-default configs --alert_csv = { } --alert_fast = { } --alert_full = { } --alert_sfsocket = { } --alert_syslog = { } --unified2 = { } {} alert_json = file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \ eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \ pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \ target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp', -- packet logging -- you can enable with defaults from the command line with -L <log_type> --log_codecs = { } --log_hext = { } --log_pcap = { } -- additional logs --packet_capture = { } --file_log = { } ---------------------------------------------------------------------------''' thank you in advance to help myself pass this error, Regards. Dorian ROSSE. ________________________________ De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Envoyé : mercredi 23 mars 2022 20:36 À : Dorian ROSSE <dorianbrice () hotmail fr> Cc : snort-devel () lists snort org <snort-devel () lists snort org> Objet : Re: Snort-devel Digest, Vol 57, Issue 9 Dorian, Effectively, the Snort3 configuration is a Lua code. Lua scripting language: https://www.lua.org/ LuaJIT is a Just-in-Time compiler for Lua language: https://luajit.org/ Snort3 uses it (as a library) to parse the configuration file. When I’m saying "error comes from LuaJIT" I mean something is wrong with your configuration in terms of Lua language syntax. Please, check your configuration for the presence of Lua parsing errors. You could share the line from snort.lua where the issue happens and some lines before and after that place (in the same file). Thanks, Oleksandr Serhiienko <oserhiie () cisco com> From: Dorian ROSSE <dorianbrice () hotmail fr> Date: Wednesday, 23 March 2022, 21:13 To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: Snort-devel Digest, Vol 57, Issue 9 Oleksandre, I set up snort.lua what is the meaning of the error luajit with snort.lua ? This error appear on snort.lua where are you see luajit here ? Thanks you in advance for your lightening, Regards. Dorian Rosse. ________________________________ From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com> Sent: Wednesday, March 23, 2022 8:02:31 PM To: dorianbrice () hotmail fr <dorianbrice () hotmail fr> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: Snort-devel Digest, Vol 57, Issue 9 Hello, Dorian I guess you’re experiencing an issue with Lua syntax correctness because such error messages come from LuaJIT. Please, verify that the config file you’re trying to load has the correct Lua syntax. Did you write/edit this config or is it the default one? Could you share the line where it says the issue and some lines before and after? Thanks, Oleksandr Serhiienko <oserhiie () cisco com> From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of snort-devel-request () lists snort org <snort-devel-request () lists snort org> Date: Tuesday, 22 March 2022, 14:06 To: snort-devel () lists snort org <snort-devel () lists snort org> Subject: Snort-devel Digest, Vol 57, Issue 9 Send Snort-devel mailing list submissions to snort-devel () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists snort org You can reach the person managing the list at snort-devel-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. unexpected symbol near 'true' (Dorian ROSSE) ---------------------------------------------------------------------- Message: 1 Date: Sat, 19 Mar 2022 19:37:01 +0000 From: Dorian ROSSE <dorianbrice () hotmail fr> To: "Snort-users () lists snort org" <snort-users () lists snort org>, "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: [Snort-devel] unexpected symbol near 'true' Message-ID: <DB7P193MB0346E9AF755C86CD49CC28FADA149 () DB7P193MB0346 EURP193 PROD OUTLOOK COM> Content-Type: text/plain; charset="iso-8859-1" Hello, I have error following : '''snort -c /usr/local/etc/snort/snort.lua -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: ERROR: /usr/local/etc/snort/snort.lua: can't load /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/snort.lua:494: unexpected symbol near 'true' -------------------------------------------------- pcap DAQ configured to passive. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting..''' to the line where the error appears : '''= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \''' thank you in advance to help myself pass this error for run fully snort3, Regards. Dorian ROSSE. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20220319/bc5daa88/attachment-0001.htm> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 57, Issue 9 ******************************************
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 57, Issue 9 Dorian ROSSE via Snort-devel (Apr 04)
- Re: Snort-devel Digest, Vol 57, Issue 9 Dorian ROSSE via Snort-devel (Apr 04)
- Re: Snort-devel Digest, Vol 57, Issue 9 Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) via Snort-devel (Apr 03)
- Re: Snort-devel Digest, Vol 57, Issue 9 Dorian ROSSE via Snort-devel (Apr 04)
- Re: Snort-devel Digest, Vol 57, Issue 9 Dorian ROSSE via Snort-devel (Apr 04)
- Re: Snort-devel Digest, Vol 57, Issue 9 Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) via Snort-devel (Apr 05)
- Re: Snort-devel Digest, Vol 57, Issue 9 Dorian ROSSE via Snort-devel (Apr 06)
- Re: Snort-devel Digest, Vol 57, Issue 9 Dorian ROSSE via Snort-devel (Apr 11)
- Re: Snort-devel Digest, Vol 57, Issue 9 Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) via Snort-devel (Apr 08)
- Re: Snort-devel Digest, Vol 57, Issue 9 Dorian ROSSE via Snort-devel (Apr 11)
- Re: Snort-devel Digest, Vol 57, Issue 9 Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) via Snort-devel (Apr 03)
- Re: Snort-devel Digest, Vol 57, Issue 9 Dorian ROSSE via Snort-devel (Apr 04)