Re: Snort-devel Digest, Vol 57, Issue 9

[Dorian ROSSE via Snort-devel <snort-devel () lists snort org>]

Dear Oleksandr,


you have the truth for snort_defaults.lua if i run with tweaks and balanced option it run but i am don't understand 
from the shell how many rules i run :

'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort_defaults.lua --tweaks balanced -s 65535 -k all -l 
/var/log/snort -i enp0s25 -m 0x1b
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort_defaults.lua:
active
alerts
daq
decode
host_cache
host_tracker
hosts
network
packets
process
search_engine
so_proxy
trace
output
Finished /usr/local/etc/snort/snort_defaults.lua:
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] enp0s25
'

but the options tweaks and balanced don't success to run with snort.lua file :

'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --tweaks balanced

--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Loading inline.lua:
Finished inline.lua:
Loading talos.lua:
Finished talos.lua:
Loading balanced.lua:
Finished balanced.lua:
snort
dnp3
dce_smb
dce_tcp
dce_udp
dce_http_proxy
dce_http_server
ftp_server
http_inspect
output
alert_json
ips
classifications
references
binder
wizard
detection
reputation
    Processing blocklist file /usr/local/etc/snort/../lists/default.blocklist
    Reputation entries loaded: 1216, invalid: 0, re-defined: 0 (from file 
/usr/local/etc/snort/../lists/default.blocklist)
appid
file_policy
file_id
http2_inspect
ftp_data
ftp_client
smtp
gtp_inspect
telnet
ssl
ssh
sip
rpc_decode
pop
normalizer
netflow
modbus
iec104
imap
dns
back_orifice
stream_file
stream_udp
stream_icmp
stream_ip
stream
profiler
alert_talos
so_proxy
search_engine
process
packets
network
trace
active
alerts
daq
decode
host_cache
host_tracker
hosts
stream_tcp
stream_user
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
rule counts
       total rules loaded: 600
            builtin rules: 600
            option chains: 600
            chain headers: 1
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     600       0       0       0
   total     600       0       0       0
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0     600       0     600    /usr/local/etc/snort/snort.lua
--------------------------------------------------
dump:pcap DAQ configured to inline.
Commencing packet processing
Couldn't construct a DAQ instance: pcap_daq_instantiate: Couldn't open file '' for reading: No such file or directory 
(-2)
--------------------------------------------------
Packet Statistics
--------------------------------------------------
Module Statistics
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.000235
o")~   Snort exiting'

and that fail too on snort.lua with tweaks and connectivity thus snort_defaults with tweaks and connectivity run well :

'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --tweaks connectivity
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading max_detect.lua:
ERROR: max_detect.lua:1 can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/max_detect.lua:9: attempt to 
index global 'ftp_server' (a nil value)

--------------------------------------------------
pcap DAQ configured to passive.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..'

with max_detect :

'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --tweaks max_detect
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading max_detect.lua:
ERROR: max_detect.lua:1 can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/max_detect.lua:9: attempt to 
index global 'ftp_server' (a nil value)

--------------------------------------------------
pcap DAQ configured to passive.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..'

with security :

'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --tweaks security
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading security.lua:
ERROR: security.lua:1 can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/security.lua:8: attempt to index 
global 'ftp_server' (a nil value)

--------------------------------------------------
pcap DAQ configured to passive.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..'

i have sent a new e-mail on three snort list because i haven't understand some designing for run snort.lua without 
maxt-detect, security, balanced and connectivity,

finaly i have understand how to run snort_default with option (thank you) but i haven't understand why i have only 600 
rules with your snort.lua when i was success to launch all rules thus i hope have a smart answer by another worker 
cisco,

have a nice weekend from the france the sun is fallen and it is twenty-two to quarter,

Regards.


Dorian ROSSE.


________________________________
De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : vendredi 8 avril 2022 20:59
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9


Dorian,



There are four policy configuration files provided in Snort3 GitHub repo (under "lua" directory). Each of them provides 
a specific level of how deeply inspection will be performed. However, the cost to pay is Snort3 performance which 
reflects on network throughput when traffic goes through Snort3.



The list of policies (from "faster" to "slower"):

  1.  connectivity.lua
  2.  balanced.lua
  3.  security.lua
  4.  max_detect.lua



However, those files are not designed to be included as a standalone file. At the first, your custom configuration file 
should contain inclusion of "snort.lua" (that one from Snort3 repo), and then – the inclusion of policy config file.

Another way to proceed is tweaking configuration form CLI as follows:



                snort -c snort.lua --tweaks balanced



If you don’t need any policy just load "snort.lua" file only.

To build your custom configuration, crating configuration file from the scratch is a good idea, but don’t forget to 
include "snort_defaults.lua" in this case. It contains a lot of common useful things for any meaningful configuration.



To summarize:

  1.  You need basic configuration – use provided "snort.lua" configuration file
  2.  You need to adjust the basic configuration with some policy to tweak the performance hit – use provided 
"snort.lua" with one of the provided policies
  3.  You need some specific configuration – craft your own configuration file. Optionally, include provided 
"snort_defaults.lua" to get some standard things on board



Addressing your questions about config loading errors, the fix should be to follow my recommendations above on how to 
go with configuring Snort3.



I suspect your config file contains multiple inclusions of policies, misses provided "snort.lua" and maybe some other 
inconsistencies in inclusion ordering or wrong inclusions/loaded files.



You can use provided "snort.lua" file as a template to craft custom config. Just edit it by uncommenting/commenting 
modules there or making additions. Do not include policies if you don’t need them. Otherwise, use CLI command above to 
get policy tweaks in use.



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 8 April 2022, 19:28
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





This must be a good thing th seek what is bad on balanced.lua,



if i run 'snort -c the_snort_balanced_lua' i fall on the same error but i have run only balanced.lua,



can you repair the files of may i ask to another cisco worker ?



the error more bottom :



'snort -c /usr/local/etc/snort/balanced.lua

--------------------------------------------------

o")~   Snort++ 3.1.21.0

--------------------------------------------------

Loading /usr/local/etc/snort/balanced.lua:

ERROR: /usr/local/etc/snort/balanced.lua: can't init /usr/local/etc/snort/balanced.lua: 
/usr/local/etc/snort/balanced.lua:10: attempt to index global 'http_inspect' (a nil value)



--------------------------------------------------

pcap DAQ configured to passive.

FATAL: see prior 1 errors (0 warnings)

Fatal Error, Quitting..'



thank you in advance to repair the file,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : mardi 5 avril 2022 13:01
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



You should include only one policy at a time (balanced.lua, max-detect.lua, etc.).

Do not include multiple policies in one file, it doesn’t make sense.



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Monday, 4 April 2022, 10:41
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9

Dear Oleksandr,





Now I fall on following error :



'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b

--------------------------------------------------

o")~   Snort++ 3.1.21.0

--------------------------------------------------

Loading /usr/local/etc/snort/snort.lua:

Loading snort_defaults.lua:

Finished snort_defaults.lua:

Loading file_magic.lua:

Finished file_magic.lua:

Loading balanced.lua:

ERROR: balanced.lua:1 can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/balanced.lua:10: attempt to index 
global 'http_inspect' (a nil value)



--------------------------------------------------

pcap DAQ configured to passive.

FATAL: see prior 1 errors (0 warnings)

Fatal Error, Quitting..'



I have attached the file in attachment,



I have readen the error witrhout understand why this error,



thank you in advance for your time,



have a nice week,



Regards.





Dorian ROSSE.

________________________________

De : Dorian ROSSE <dorianbrice () hotmail fr>
Envoyé : lundi 4 avril 2022 08:27
À : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dear oleksandr,





This should be a line of command like these :



'include snort_defaults.lua'



I am not understand why I have more than one time this line but I will check this,



Thanks you in advance for your time,



Have a nice week,



Regards.





Dorian Rosse.

________________________________

From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Sent: Monday, April 4, 2022 7:46:25 AM
To: Dorian ROSSE <dorianbrice () hotmail fr>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9



Hello Dorian,



You probably have multiple inclusions of 'snort_defaults.lua' in your snort.lua, which is causing the loop.

It’s enough to include it, as any other file you need to include, only once.

Please, avoid multiple inclusions of the same files in your 'snort.lua'.



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Sunday, 3 April 2022, 18:51
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9

Dear Oleksandr,





I launch the line of command following :



'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b'



I can't open alert_json.txt i haven't the rights and the line of command show more top happening thoses loop in the 
window for crash on an error unknown :



'Finished snort_defaults.lua:

Loading snort.lua:

Loading snort_defaults.lua:

ERROR: snort_defaults.lua:1 can't init /usr/local/etc/snort/snort.lua: stack overflow



--------------------------------------------------

pcap DAQ configured to passive.

FATAL: see prior 1 errors (0 warnings)

Fatal Error, Quitting..'



thank you in advance to answer what do for secure my setup because i am not understand why the window of the line of 
command is crashed too why i don't have acess to the alert_json.txt,



Regards.







Dorian Rosse.

________________________________

From: Dorian ROSSE <dorianbrice () hotmail fr>
Sent: Saturday, April 2, 2022 4:23:55 PM
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9



Dear Oleksandr,





I launch the line of command following :



'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b'



I can't open alert_json.txt i haven't the rights and the line of command show more bottom happening thoses loop in the 
window :



'Finished snort_defaults.lua:

Loading snort.lua:

Loading snort_defaults.lua:'



thank you in advance to answer what do for secure my setup because i am not understand why the window of the line of 
command is mad too why i don't have acess to the alert_json.txt,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : lundi 28 mars 2022 11:15
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



Issue #1 (line 196):

Unexpected closure of ips table.

All the config parameters below this line (enable_builtin_rules, variables) must be a part of ips table (ips 
configuration). Also, "include RULE_PATH" is Snort2 config. For Snort3, you should use ips.variables.paths 
configuration.

Please, refer to "default_variables" table in snort_defaults.lua as an example of syntax.

You basically don’t need to configure variables manually since you’re using default_variables from snort_defaults.lua.



Issue #2 (line 431):

Missed equality sign for variables (should be variables = default_variables).



Issue #3 (line 493):

Redundant equality sign before alert_json.



Attached configuration file with correct syntax.

Please, check your config for Lua syntax correctness next time you’re using custom configuration.



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 25 March 2022, 17:36
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





The file asked in attachment,



thank you in advance for your time,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : vendredi 25 mars 2022 16:17
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



The syntax looks correct…

Could you attach your "snort.lua" file and sent it here?



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 25 March 2022, 16:09
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





your code don't work like the happening when I check the snort.lua :



'''snort -c /usr/local/etc/snort/snort.lua

--------------------------------------------------

o")~   Snort++ 3.1.21.0

--------------------------------------------------

Loading /usr/local/etc/snort/snort.lua:

ERROR: /usr/local/etc/snort/snort.lua: can't load /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/snort.lua:493: 
'=' expected near 'alert_json'



--------------------------------------------------

pcap DAQ configured to passive.

FATAL: see prior 1 errors (0 warnings)

Fatal Error, Quitting..'''



the line of command of the snort.lua :



'''-- 7. configure outputs

---------------------------------------------------------------------------



-- event logging

-- you can enable with defaults from the command line with -A <alert_type>

-- uncomment below to set non-default configs

--alert_csv = { }

--alert_fast = { }

--alert_full = { }

--alert_sfsocket = { }

--alert_syslog = { }

--unified2 = { }

alert_json =



{



   fields =



    [[



        timestamp pkt_num proto pkt_len src_ap dst_ap rule action



    ]]



}

-- packet logging

-- you can enable with defaults from the command line with -L <log_type>

--log_codecs = { }

--log_hext = { }

--log_pcap = { }



-- additional logs

--packet_capture = { }

--file_log = { }'''



thank you in advance to help myself use alert json,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : vendredi 25 mars 2022 14:24
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



You still can use alert_json, but you should follow the correct syntax for it.

Example to follow:

“

alert_json =

{

   fields =

    [[

        timestamp pkt_num proto pkt_len src_ap dst_ap rule action

    ]]

}

“



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 25 March 2022, 14:50
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





If I don't use alert JSON how to use alert syslog ?



Thanks you in advance for your answer,



Regards.





Dorian Rosse.

________________________________

From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Sent: Friday, March 25, 2022 1:17:39 PM
To: Dorian ROSSE <dorianbrice () hotmail fr>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



These lines are incorrect:

“

{} alert_json

= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \

 eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \

 pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \

 target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',

“



You should delete them or comment out. It should help.



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 25 March 2022, 11:41
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





I am lucky my weekend is now,



I have copy past the chapter where there is the error :



'''---------------------------------------------------------------------------

-- 7. configure outputs

---------------------------------------------------------------------------



-- event logging

-- you can enable with defaults from the command line with -A <alert_type>

-- uncomment below to set non-default configs

--alert_csv = { }

--alert_fast = { }

--alert_full = { }

--alert_sfsocket = { }

--alert_syslog = { }

--unified2 = { }

{} alert_json

= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \

 eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \

 pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \

 target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',



-- packet logging

-- you can enable with defaults from the command line with -L <log_type>

--log_codecs = { }

--log_hext = { }

--log_pcap = { }



-- additional logs

--packet_capture = { }

--file_log = { }



---------------------------------------------------------------------------'''



thank you in advance to help myself pass this error,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : mercredi 23 mars 2022 20:36
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



Effectively, the Snort3 configuration is a Lua code.

Lua scripting language: https://www.lua.org/



LuaJIT is a Just-in-Time compiler for Lua language: https://luajit.org/

Snort3 uses it (as a library) to parse the configuration file.



When I’m saying "error comes from LuaJIT" I mean something is wrong with your configuration in terms of Lua language 
syntax.

Please, check your configuration for the presence of Lua parsing errors.



You could share the line from snort.lua where the issue happens and some lines before and after that place (in the same 
file).



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Wednesday, 23 March 2022, 21:13
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9

Oleksandre,





I set up snort.lua what is the meaning of the error luajit with snort.lua ?



This error appear on snort.lua where are you see luajit here ?



Thanks you in advance for your lightening,



Regards.





Dorian Rosse.

________________________________

From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Sent: Wednesday, March 23, 2022 8:02:31 PM
To: dorianbrice () hotmail fr <dorianbrice () hotmail fr>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9



Hello, Dorian



I guess you’re experiencing an issue with Lua syntax correctness because such error messages come from LuaJIT.

Please, verify that the config file you’re trying to load has the correct Lua syntax.



Did you write/edit this config or is it the default one?

Could you share the line where it says the issue and some lines before and after?



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of snort-devel-request () lists snort org 
<snort-devel-request () lists snort org>
Date: Tuesday, 22 March 2022, 14:06
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Snort-devel Digest, Vol 57, Issue 9

Send Snort-devel mailing list submissions to
        snort-devel () lists snort org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request () lists snort org

You can reach the person managing the list at
        snort-devel-owner () lists snort org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. unexpected symbol near 'true' (Dorian ROSSE)


----------------------------------------------------------------------

Message: 1
Date: Sat, 19 Mar 2022 19:37:01 +0000
From: Dorian ROSSE <dorianbrice () hotmail fr>
To: "Snort-users () lists snort org" <snort-users () lists snort org>,
        "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] unexpected symbol near 'true'
Message-ID:
        <DB7P193MB0346E9AF755C86CD49CC28FADA149 () DB7P193MB0346 EURP193 PROD OUTLOOK COM>

Content-Type: text/plain; charset="iso-8859-1"

Hello,


I have error following : '''snort -c /usr/local/etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
ERROR: /usr/local/etc/snort/snort.lua: can't load /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/snort.lua:494: 
unexpected symbol near 'true'

--------------------------------------------------
pcap DAQ configured to passive.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..'''
to
the line where the error appears :

'''= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \'''

thank you in advance to help myself pass this error for run fully snort3,

Regards.


Dorian ROSSE.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20220319/bc5daa88/attachment-0001.htm>

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel


------------------------------

End of Snort-devel Digest, Vol 57, Issue 9
******************************************

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!