First set up the environment:
```shell
-export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort
```
Below is a minimal Snort configuration that is sufficient to block flows
based on a specific HTTP header:
- require("snort_config")
-
dir = os.getenv('SNORT_LUA_PATH')
if ( not dir ) then
* *HOSTTYPE*: optional string that is output with the version at end of
line.
-* *LUA_PATH*: you must export as follows so LuaJIT can find required
- files.
-
- LUA_PATH=$install_dir/include/snort/lua/\?.lua\;\;
-
* *SNORT_IGNORE*: the list of symbols Snort should ignore when parsing the
Lua conf. Unknown symbols not in SNORT_IGNORE will cause warnings with
--warn-unknown or fatals with --warn-unknown --pedantic.
-_FATAL: snort_config is required_
-
-* add this line near top of file:
-
- require('snort_config')
-
_PANIC: unprotected error in call to Lua API (cannot open
snort_defaults.lua: No such file or directory)_
==== Environment
-LUA_PATH must be set based on your install:
-
- LUA_PATH=$install_prefix/include/snort/lua/\?.lua\;\;
-
SNORT_LUA_PATH must be set to load auxiliary configuration files if you use
the default snort.lua. For example:
First set up the environment:
- export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort/
Then give it a go:
=== Environment
-LUA_PATH is used directly by Lua to load and run required libraries.
SNORT_LUA_PATH is used by Snort to load supplemental configuration files.
- export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
export SNORT_LUA_PATH=$my_path/etc/snort
-- make install
-- then:
--- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
-- export SNORT_LUA_PATH=$DIR/etc/snort
-lua_path = os.getenv('LUA_PATH')
-if ( not lua_path ) then
- package.path = '${CMAKE_INSTALL_FULL_INCLUDEDIR}/${INSTALL_SUFFIX}/lua/?.lua;?;'
-end
-
--- this depends on LUA_PATH
--- used to load this conf into Snort
-require('snort_config')
-
-- this depends on SNORT_LUA_PATH
-- where to find other config files
conf_dir = os.getenv('SNORT_LUA_PATH')
** event. Otherwise if the ordering has it that pass rule events are
** processed after a drop or alert you will see the drops and alerts,
** and the pass event just causes us to stop processing any more events
-** on the packet, but the packet does not pass. Also, the --alert-on-drop
-** flag causes any drop/sdrop/reject rules to be loaded as alert rules.
+** on the packet, but the packet does not pass. Also, the --treat-drop-as-alert
+** flag causes any drop/block/reset rules to be loaded as alert rules.
** The default has been to ignore them on parsing.
**
** If this is less than clear, here's the $.02 version:
** the max_events and log fields are reduced to only needing the log
** events field. max_fields is harmless.
** ( drop rules may be honored as alerts in IDS mode (no -Q) by using
-** the --alert-on-drop flag )
+** the --treat-drop-as-alert)
**
** FORMAL INPUTS
** OtnxMatchData * - omd to select event from.
* order is 'drop alert', and we log 3 for drop alerts do not
* get logged. IF order is 'alert drop', and we log 3 for
* alert, then no drops are logged. So, there should be a
- * built in drop/sdrop/reject comes before alert/pass/log as
+ * built in drop/block/reset comes before alert/pass/log as
* part of the natural ordering....Jan '06..
*/
/* Sort the rules in this action group */
{ "log_references", Parameter::PT_BOOL, nullptr, "false",
"include rule references in alert info (full only)" },
- { "order", Parameter::PT_STRING, nullptr, "pass drop alert log",
+ { "order", Parameter::PT_STRING, nullptr, "pass reset block drop alert log",
"change the order of rule action application" },
{ "rate_filter_memcap", Parameter::PT_INT, "0:max32", "1048576",
"drop if checksum is bad" },
{ "checksum_eval", Parameter::PT_MULTI,
- "all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none", "none",
+ "all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none", "all",
"checksums to verify" },
{ "decode_drops", Parameter::PT_BOOL, nullptr, "false",
void module_init();
+const char* get_lua_defaults();
extern Trace TRACE_NAME(detection); // FIXIT-L refactor detection module out
clone(other_map);
else
{
- add_shell(new Shell);
+ add_shell(new Shell(nullptr, true));
empty_ips_policy = new IpsPolicy(ips_policy.size());
ips_policy.emplace_back(empty_ips_policy);
}
using namespace snort;
using namespace std;
-#define required "require('snort_config'); "
-
//-------------------------------------------------------------------------
// helper functions
//-------------------------------------------------------------------------
return true;
}
-static void load_overrides(lua_State* L, string& s)
+static void load_string(lua_State* L, const char* s)
{
Lua::ManageStack ms(L);
- if ( luaL_loadstring(L, s.c_str()) )
+ if ( luaL_loadstring(L, s) )
{
const char* err = lua_tostring(L, -1);
if ( strstr(err, "near '#'") )
lua_getglobal(L, "snort_config");
lua_getglobal(L, t);
- if ( !lua_isfunction(L, -2) )
- FatalError("%s\n", "snort_config is required");
+ assert(lua_isfunction(L, -2));
- else if ( lua_pcall(L, 1, 1, 0) )
+ if ( lua_pcall(L, 1, 1, 0) )
{
const char* err = lua_tostring(L, -1);
FatalError("%s\n", err);
return false;
if ( !s.empty() )
- load_overrides(L, s);
+ load_string(L, s.c_str());
run_config(L, "_G");
// public methods
//-------------------------------------------------------------------------
-Shell::Shell(const char* s)
+Shell::Shell(const char* s, bool load_defaults)
{
// FIXIT-M should wrap in Lua::State
lua = luaL_newstate();
set_file(s);
loaded = false;
+
+ load_string(lua, ModuleManager::get_lua_bootstrap());
+
+ if ( load_defaults )
+ load_string(lua, ModuleManager::get_lua_coreinit());
}
Shell::~Shell()
void Shell::set_overrides(const char* s)
{
- if ( overrides.empty() )
- overrides = required;
-
overrides += s;
}
class Shell
{
public:
- Shell(const char* file = nullptr);
+ Shell(const char* file = nullptr, bool load_defaults = false);
~Shell();
void set_file(const char*);
EventManager::instantiate(sc->output.c_str(), sc);
if (SnortConfig::alert_before_pass())
- sc->rule_order = "drop sdrop reject alert pass log";
+ sc->rule_order = "reset block drop alert pass log";
sc->setup();
FileService::post_init();
"0 gets the number of CPU cores reported by the system; default is 1" },
{ "--alert-before-pass", Parameter::PT_IMPLIED, nullptr, nullptr,
- "process alert, drop, sdrop, or reject before pass; "
- "default is pass before alert, drop,..." },
+ "evaluate alert rules before pass rules; default is pass rules first" },
{ "--bpf", Parameter::PT_STRING, nullptr, nullptr,
"<filter options> are standard BPF options, as seen in TCPDump" },
"enable Talos inline rule test mode (same as --tweaks talos -Q -q)", },
{ "--treat-drop-as-alert", Parameter::PT_IMPLIED, nullptr, nullptr,
- "converts drop, sdrop, and reject rules into alert rules during startup" },
+ "converts drop, block, and reset rules into alert rules when loaded" },
{ "--treat-drop-as-ignore", Parameter::PT_IMPLIED, nullptr, nullptr,
- "use drop, sdrop, and reject rules to ignore session traffic when not inline" },
+ "use drop, block, and reset rules to ignore session traffic when not inline" },
{ "--tweaks", Parameter::PT_STRING, nullptr, nullptr,
"tune configuration" },
set (LUA_INCLUDES
- snort_config.lua
+ # required 'header'
${CMAKE_CURRENT_BINARY_DIR}/snort_plugin.lua
+ # deprecated dependency to be removed with RC
+ ${CMAKE_CURRENT_BINARY_DIR}/snort_config.lua
+)
+
+set (CPP_INCLUDES
+ ${CMAKE_CURRENT_BINARY_DIR}/lua_plugffi.h
+ ${CMAKE_CURRENT_BINARY_DIR}/lua_bootstrap.h
+ ${CMAKE_CURRENT_BINARY_DIR}/lua_coreinit.h
)
set( MANAGERS_INCLUDES
add_library( managers OBJECT
${MANAGERS_INCLUDES}
+ ${CPP_INCLUDES}
action_manager.h
action_manager.cc
codec_manager.cc
connector_manager.h
)
-install (FILES ${MANAGERS_INCLUDES}
- DESTINATION "${INCLUDE_INSTALL_PATH}/managers"
+add_custom_command (
+ OUTPUT lua_plugffi.h snort_plugin.lua
+ COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/ffi_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR}/lua_plugin_defs.h > plugffi.lua
+ COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/lua_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR} plugffi > lua_plugffi.h
+ COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/plugffi.lua ${CMAKE_CURRENT_BINARY_DIR}/snort_plugin.lua
+)
+
+add_custom_command (
+ OUTPUT lua_bootstrap.h snort_config.lua
+ COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/lua_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR} bootstrap > lua_bootstrap.h
+ COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/bootstrap.lua ${CMAKE_CURRENT_BINARY_DIR}/snort_config.lua
)
add_custom_command (
- OUTPUT snort_plugin.lua
- COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/ffi_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR}/lua_plugin_defs.h > snort_plugin.lua
+ OUTPUT lua_coreinit.h
+ COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/lua_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR} coreinit > lua_coreinit.h
)
-add_custom_target ( snort_plugin DEPENDS snort_plugin.lua )
+include_directories (${CMAKE_CURRENT_BINARY_DIR})
-# FIXIT-L probably not the ideal way to ensure this gets built
-add_dependencies ( managers snort_plugin )
+install (FILES ${MANAGERS_INCLUDES}
+ DESTINATION "${INCLUDE_INSTALL_PATH}/managers"
+)
install (FILES ${LUA_INCLUDES}
DESTINATION "${INCLUDE_INSTALL_PATH}/lua"
)
+
--- /dev/null
+---------------------------------------------------------------------------
+-- Copyright (C) 2019-2019 Cisco and/or its affiliates. All rights reserved.
+--
+-- This program is free software; you can redistribute it and/or modify it
+-- under the terms of the GNU General Public License Version 2 as published
+-- by the Free Software Foundation. You may not use, modify or distribute
+-- this program under any other version of the GNU General Public License.
+--
+-- This program is distributed in the hope that it will be useful, but
+-- WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+-- General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License along
+-- with this program; if not, write to the Free Software Foundation, Inc.,
+-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+---------------------------------------------------------------------------
+-- builtin_defaults.lua author Russ Combs <rucombs@cisco.com>
+
+---------------------------------------------------------------------------
+-- Snort uses this to configure Lua settings into C++
+---------------------------------------------------------------------------
+
+-- builtin modules are included to always set defaults via parameters instead
+-- of putting defaults in two places
+-- these are loaded first and will get overridden if configured by the user
+-- these modules are virtually always in play
+
+active = { }
+alerts = { }
+daq = { }
+decode = { }
+host_cache = { }
+host_tracker = { }
+hosts = { }
+network = { }
+output = { }
+packets = { }
+process = { }
+search_engine = { }
+
+-- exceptions:
+
+--[[
+attribute_table = { } -- opt in only
+classifications = { } -- pure list
+detection = { } -- policy specific
+event_filter = { } -- pure list
+event_queue = { } -- pure list
+file_id = { } -- opt in
+high_availability = { } -- opt in
+inspection = { } -- policy specific
+ips = { } -- policy specific
+latency = { } -- don't activate
+memory = { } -- opt in
+packet_tracer = { } -- opt in
+perf_monitor = { } -- opt in
+port_scan = { } -- opt in
+profiler = { } -- don't activate
+rate_filter = { } -- pure list
+references = { } -- pure list
+rule_state = { } -- pure list
+side_channel = { } -- leaks!
+snort = { } -- command line only
+suppress = { } -- pure list
+--]]
+
--- /dev/null
+#!/bin/sh
+
+src=$1/$2.lua
+tag=$2
+
+echo "static const char* lua_$tag = R\"[$tag]("
+cat $src
+echo ")[$tag]\";"
+
#include "plugin_manager.h"
+// "Lua" includes
+#include "lua_bootstrap.h"
+#include "lua_coreinit.h"
+
using namespace snort;
using namespace std;
bool set_alias(const char* from, const char* to);
}
+//-------------------------------------------------------------------------
+// boot foo
+//-------------------------------------------------------------------------
+
+const char* ModuleManager::get_lua_bootstrap()
+{ return lua_bootstrap; }
+
+const char* ModuleManager::get_lua_coreinit()
+{ return lua_coreinit; }
+
//-------------------------------------------------------------------------
// ModHook foo
//-------------------------------------------------------------------------
static const char* get_current_module();
SO_PUBLIC static std::list<Module*> get_all_modules();
+ static const char* get_lua_bootstrap();
+ static const char* get_lua_coreinit();
+
static void list_modules(const char* = nullptr);
static void dump_modules();
static void show_modules();
#include "hash/xhash.h"
#include "helpers/directory.h"
#include "log/messages.h"
+#include "main/modules.h"
#include "main/shell.h"
#include "main/snort_config.h"
#include "managers/event_manager.h"
}
std::string gid = rule_api.get_option("gid");
- if (0 == gid.compare(GID_REPUTATION) && 0 == rule_api.get_rule_old_action().compare("sdrop"))
+ if (0 == gid.compare(GID_REPUTATION) && 0 ==
+ rule_api.get_rule_old_action().compare("sdrop"))
{
std::string sid = rule_api.get_option("sid");
table_api.open_table("suppress");
out << "-- make install\n";
out << "--\n";
out << "-- then:\n";
- out << "-- export LUA_PATH=$DIR/include/snort/lua/?.lua\\;\\;\n";
out << "-- export SNORT_LUA_PATH=$DIR/conf/\n";
out << "---------------------------------------------------------------------------\n";
out << "\n";
- out << "\n";
- out << "\n";
- out << "require(\"snort_config\")\n\n";
out << "dir = os.getenv('SNORT_LUA_PATH')\n";
out << "\n";
out << "if ( not dir ) then\n";
out << "\n";
out << "dofile(dir .. '/snort_defaults.lua')\n";
out << "\n";
- out << "\n";
data_api.print_data(out);
if (!rule_api.empty())
projects / thirdparty / snort3.git / commitdiff
