snort.lua
[root]# vim /usr/local/snort/etc/snort/snort.lua
Do not forget to add , (comma)
------------------------------------------------------------
-- 1. configure defaults
------------------------------------------------------------
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
-- HOME_NET = "any"
HOME_NET = '[[Global IP/32,Local IP/24]]'
-- set up the external network addresses.
-- (leave as "any" in most situations)
-- EXTERNAL_NET = "any"
EXTERNAL_NET = '[[!$HOME_NET]]'
include 'snort_defaults.lua'
include 'file_magic.lua'
------------------------------------------------------------
-- 2. configure inspection
------------------------------------------------------------
-- Identify files and file types that traverse the network
--[[
file_id =
{
enable_type = true,
enable_signature = true,
file_rules = file_magic,
file_policy =
{
{ use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } }
}
}
--]]
※ Error occurred with the above settings
ERROR: /usr/local/snort/etc/snort/snort.lua: can't find file_id.file_policy
ERROR: /usr/local/snort/etc/snort/snort.lua: can't find file_id.enable_signature
ERROR: /usr/local/snort/etc/snort/snort.lua: can't find file_id.enable_type
output description of given module
[root]# /usr/local/snort/bin/snort --help-module file_id
[root]# /usr/local/snort/bin/snort --help-module file_policy
file_id = { rules_file = 'file_magic.rules' }
file_policy =
{
enable_type = true,
enable_signature = true,
rules = {
use = { verdict = "log" }
},
}
-- Detection of connection source application (comment out when using SnortSnarf)
--[[
appid =
{
-- appid requires this to use appids in rules
app_detector_dir = APPID_PATH,
}
--]]
reputation =
{
-- configure one or both of these, then uncomment reputation
blocklist = BLOCK_LIST_PATH .. '/ip-blocklist',
allowlist = ALLOW_LIST_PATH .. '/ip-allowlist',
}
------------------------------------------------------------
-- 5. configure detection
------------------------------------------------------------
ips =
{
mode = tap,
variables = default_variables,
rules = [[
include ../../rules/snort.rules <-- PulledPork
or
include /usr/local/snort/rules/snort.rules <-- PulledPork
]],
}
------------------------------------------------------------
-- 7. configure outputs
------------------------------------------------------------
-- /var/log/snort/alert_fast.txt
alert_fast =
{
file = true,
}
-- /var/log/snort/file.log
file_log =
{
log_pkt_time = true,
log_sys_time = false,
}