Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-devel Digest, Vol 57, Issue 9

From: "Oleksandr Serhiienko -X \(oserhiie - SOFTSERVE INC at Cisco\) via Snort-devel" <snort-devel () lists snort org>
Date: Tue, 5 Apr 2022 11:01:04 +0000
Dorian,

You should include only one policy at a time (balanced.lua, max-detect.lua, etc.).
Do not include multiple policies in one file, it doesn’t make sense.

Thanks,
Oleksandr Serhiienko <oserhiie () cisco com>

From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Monday, 4 April 2022, 10:41
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9
Dear Oleksandr,


Now I fall on following error :

'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Loading balanced.lua:
ERROR: balanced.lua:1 can't init /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/balanced.lua:10: attempt to index 
global 'http_inspect' (a nil value)

--------------------------------------------------
pcap DAQ configured to passive.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..'

I have attached the file in attachment,

I have readen the error witrhout understand why this error,

thank you in advance for your time,

have a nice week,

Regards.


Dorian ROSSE.
________________________________
De : Dorian ROSSE <dorianbrice () hotmail fr>
Envoyé : lundi 4 avril 2022 08:27
À : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9

Dear oleksandr,


This should be a line of command like these :

'include snort_defaults.lua'

I am not understand why I have more than one time this line but I will check this,

Thanks you in advance for your time,

Have a nice week,

Regards.


Dorian Rosse.
________________________________
From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Sent: Monday, April 4, 2022 7:46:25 AM
To: Dorian ROSSE <dorianbrice () hotmail fr>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9


Hello Dorian,



You probably have multiple inclusions of 'snort_defaults.lua' in your snort.lua, which is causing the loop.

It’s enough to include it, as any other file you need to include, only once.

Please, avoid multiple inclusions of the same files in your 'snort.lua'.



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Sunday, 3 April 2022, 18:51
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9

Dear Oleksandr,





I launch the line of command following :



'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b'



I can't open alert_json.txt i haven't the rights and the line of command show more top happening thoses loop in the 
window for crash on an error unknown :



'Finished snort_defaults.lua:

Loading snort.lua:

Loading snort_defaults.lua:

ERROR: snort_defaults.lua:1 can't init /usr/local/etc/snort/snort.lua: stack overflow



--------------------------------------------------

pcap DAQ configured to passive.

FATAL: see prior 1 errors (0 warnings)

Fatal Error, Quitting..'



thank you in advance to answer what do for secure my setup because i am not understand why the window of the line of 
command is crashed too why i don't have acess to the alert_json.txt,



Regards.







Dorian Rosse.

________________________________

From: Dorian ROSSE <dorianbrice () hotmail fr>
Sent: Saturday, April 2, 2022 4:23:55 PM
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9



Dear Oleksandr,





I launch the line of command following :



'sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k all -l /var/log/snort -i enp0s25 -m 0x1b'



I can't open alert_json.txt i haven't the rights and the line of command show more bottom happening thoses loop in the 
window :



'Finished snort_defaults.lua:

Loading snort.lua:

Loading snort_defaults.lua:'



thank you in advance to answer what do for secure my setup because i am not understand why the window of the line of 
command is mad too why i don't have acess to the alert_json.txt,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : lundi 28 mars 2022 11:15
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



Issue #1 (line 196):

Unexpected closure of ips table.

All the config parameters below this line (enable_builtin_rules, variables) must be a part of ips table (ips 
configuration). Also, "include RULE_PATH" is Snort2 config. For Snort3, you should use ips.variables.paths 
configuration.

Please, refer to "default_variables" table in snort_defaults.lua as an example of syntax.

You basically don’t need to configure variables manually since you’re using default_variables from snort_defaults.lua.



Issue #2 (line 431):

Missed equality sign for variables (should be variables = default_variables).



Issue #3 (line 493):

Redundant equality sign before alert_json.



Attached configuration file with correct syntax.

Please, check your config for Lua syntax correctness next time you’re using custom configuration.



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 25 March 2022, 17:36
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





The file asked in attachment,



thank you in advance for your time,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : vendredi 25 mars 2022 16:17
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



The syntax looks correct…

Could you attach your "snort.lua" file and sent it here?



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 25 March 2022, 16:09
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





your code don't work like the happening when I check the snort.lua :



'''snort -c /usr/local/etc/snort/snort.lua

--------------------------------------------------

o")~   Snort++ 3.1.21.0

--------------------------------------------------

Loading /usr/local/etc/snort/snort.lua:

ERROR: /usr/local/etc/snort/snort.lua: can't load /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/snort.lua:493: 
'=' expected near 'alert_json'



--------------------------------------------------

pcap DAQ configured to passive.

FATAL: see prior 1 errors (0 warnings)

Fatal Error, Quitting..'''



the line of command of the snort.lua :



'''-- 7. configure outputs

---------------------------------------------------------------------------



-- event logging

-- you can enable with defaults from the command line with -A <alert_type>

-- uncomment below to set non-default configs

--alert_csv = { }

--alert_fast = { }

--alert_full = { }

--alert_sfsocket = { }

--alert_syslog = { }

--unified2 = { }

alert_json =



{



   fields =



    [[



        timestamp pkt_num proto pkt_len src_ap dst_ap rule action



    ]]



}

-- packet logging

-- you can enable with defaults from the command line with -L <log_type>

--log_codecs = { }

--log_hext = { }

--log_pcap = { }



-- additional logs

--packet_capture = { }

--file_log = { }'''



thank you in advance to help myself use alert json,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : vendredi 25 mars 2022 14:24
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



You still can use alert_json, but you should follow the correct syntax for it.

Example to follow:

“

alert_json =

{

   fields =

    [[

        timestamp pkt_num proto pkt_len src_ap dst_ap rule action

    ]]

}

“



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 25 March 2022, 14:50
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





If I don't use alert JSON how to use alert syslog ?



Thanks you in advance for your answer,



Regards.





Dorian Rosse.

________________________________

From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Sent: Friday, March 25, 2022 1:17:39 PM
To: Dorian ROSSE <dorianbrice () hotmail fr>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



These lines are incorrect:

“

{} alert_json

= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \

 eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \

 pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \

 target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',

“



You should delete them or comment out. It should help.



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Friday, 25 March 2022, 11:41
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: RE: Snort-devel Digest, Vol 57, Issue 9

Oleksandr,





I am lucky my weekend is now,



I have copy past the chapter where there is the error :



'''---------------------------------------------------------------------------

-- 7. configure outputs

---------------------------------------------------------------------------



-- event logging

-- you can enable with defaults from the command line with -A <alert_type>

-- uncomment below to set non-default configs

--alert_csv = { }

--alert_fast = { }

--alert_full = { }

--alert_sfsocket = { }

--alert_syslog = { }

--unified2 = { }

{} alert_json

= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \

 eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \

 pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \

 target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',



-- packet logging

-- you can enable with defaults from the command line with -L <log_type>

--log_codecs = { }

--log_hext = { }

--log_pcap = { }



-- additional logs

--packet_capture = { }

--file_log = { }



---------------------------------------------------------------------------'''



thank you in advance to help myself pass this error,



Regards.





Dorian ROSSE.

________________________________

De : Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Envoyé : mercredi 23 mars 2022 20:36
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : snort-devel () lists snort org <snort-devel () lists snort org>
Objet : Re: Snort-devel Digest, Vol 57, Issue 9



Dorian,



Effectively, the Snort3 configuration is a Lua code.

Lua scripting language: https://www.lua.org/



LuaJIT is a Just-in-Time compiler for Lua language: https://luajit.org/

Snort3 uses it (as a library) to parse the configuration file.



When I’m saying "error comes from LuaJIT" I mean something is wrong with your configuration in terms of Lua language 
syntax.

Please, check your configuration for the presence of Lua parsing errors.



You could share the line from snort.lua where the issue happens and some lines before and after that place (in the same 
file).



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Dorian ROSSE <dorianbrice () hotmail fr>
Date: Wednesday, 23 March 2022, 21:13
To: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9

Oleksandre,





I set up snort.lua what is the meaning of the error luajit with snort.lua ?



This error appear on snort.lua where are you see luajit here ?



Thanks you in advance for your lightening,



Regards.





Dorian Rosse.

________________________________

From: Oleksandr Serhiienko -X (oserhiie - SOFTSERVE INC at Cisco) <oserhiie () cisco com>
Sent: Wednesday, March 23, 2022 8:02:31 PM
To: dorianbrice () hotmail fr <dorianbrice () hotmail fr>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: Snort-devel Digest, Vol 57, Issue 9



Hello, Dorian



I guess you’re experiencing an issue with Lua syntax correctness because such error messages come from LuaJIT.

Please, verify that the config file you’re trying to load has the correct Lua syntax.



Did you write/edit this config or is it the default one?

Could you share the line where it says the issue and some lines before and after?



Thanks,

Oleksandr Serhiienko <oserhiie () cisco com>



From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of snort-devel-request () lists snort org 
<snort-devel-request () lists snort org>
Date: Tuesday, 22 March 2022, 14:06
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Snort-devel Digest, Vol 57, Issue 9

Send Snort-devel mailing list submissions to
        snort-devel () lists snort org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request () lists snort org

You can reach the person managing the list at
        snort-devel-owner () lists snort org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. unexpected symbol near 'true' (Dorian ROSSE)


----------------------------------------------------------------------

Message: 1
Date: Sat, 19 Mar 2022 19:37:01 +0000
From: Dorian ROSSE <dorianbrice () hotmail fr>
To: "Snort-users () lists snort org" <snort-users () lists snort org>,
        "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] unexpected symbol near 'true'
Message-ID:
        <DB7P193MB0346E9AF755C86CD49CC28FADA149 () DB7P193MB0346 EURP193 PROD OUTLOOK COM>

Content-Type: text/plain; charset="iso-8859-1"

Hello,


I have error following : '''snort -c /usr/local/etc/snort/snort.lua
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
ERROR: /usr/local/etc/snort/snort.lua: can't load /usr/local/etc/snort/snort.lua: /usr/local/etc/snort/snort.lua:494: 
unexpected symbol near 'true'

--------------------------------------------------
pcap DAQ configured to passive.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..'''
to
the line where the error appears :

'''= file true limit 100 fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \'''

thank you in advance to help myself pass this error for run fully snort3,

Regards.


Dorian ROSSE.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20220319/bc5daa88/attachment-0001.htm>

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel


------------------------------

End of Snort-devel Digest, Vol 57, Issue 9
******************************************

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: