我已经使用来自 snort 网站的以下 URL 在我的 ubuntu 服务器上安装了 snort3:
我已根据说明对其进行了编译,并编辑了 /usr/local/etc/snort/snort.lua 以根据文档添加我的 HOME_NET 和其他变量。
一旦我启用 snort3-community.rules,我就会看到这些错误。
Finished /usr/local/etc/snort/snort.lua:
Loading ips.rules:
Loading /usr/local/etc/rules/local.rules:
Finished /usr/local/etc/rules/local.rules:
Loading /usr/local/etc/rules/snort3-community.rules:
ERROR: /usr/local/etc/rules/snort3-community.rules:1778 Undefined variable in the string: $HOME_NET.
ERROR: /usr/local/etc/rules/snort3-community.rules:1778 undefined variable in the string: $EXTERNAL_NET.
FATAL: /usr/local/etc/rules/snort3-community.rules:1778 ***PortVar Lookup failed on '$HTTP_PORTS'.
这些变量定义在:-
- /usr/local/etc/snort/snort.lua
HOME_NET = [[ 10.0.0.0/24 192.168.0.0/24 ]]
EXTERNAL_NET = 'any'
- /usr/local/etc/snort/snort_defaults.lua
HTTP_PORTS =
[[
80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128
3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008
8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800
8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080
50002 55555
]]
但在规则中却看不到?谁能告诉我为什么。
答案1
我终于解决了这个问题,snort.lua 的 ids 部分的语法发生了一些变化。要访问规则中的变量,需要像这样对其进行范围限定。
ips =
{
rules = <your rule path here>,
variables =
{
nets =
{
EXTERNAL_NET = EXTERNAL_NET,
HOME_NET = HOME_NET
},
ports =
{
HTTP_PORTS = HTTP_PORTS
}
}
}