Snort error while validating config files

Hi! I am using OpenWrt version 22.03.5 on x86_64. I am trying to install Snort3, I followed the steps on the official guide for this, I did the IDS setup, and then altered it to act as an IPS based on the guide.
When validating these config files with this command:
snort -c /etc/snort/snort.lua --daq-dir /usr/lib/daq -T

I am getting 2 errors:

  1. ERROR: /etc/snort/snort.lua: can't find daq.modules.action_override

  2. ERROR: /etc/snort-rules/rules/snort3-community.rules:1 unable to open rules file '/etc/snort-rules/rules/snort3-community.rules': No such file or directory

Oh, and also, I set up all the rules based on the "rule script" that was provided by the guide.
I am stuck on these 2 errors with google not helping at all.
Can you please help me?
Thank you very much!

Have you modified the local.lua file? If so, could you post it here?

My suspicion on 1 is that you have the action_override in the wrong section, should be in the ips section, not the daq section.

ips = {
  mode            = inline,
  variables       = default_variables,
  action_override = action,
  include         = RULE_PATH .. '/snort.rules',

Second one, check the existence of your rules file at that path, mine is at /etc/snort/rules/... not snort-rules.

1 Like

Thank you! Moving the action override actually helped!
I don't know why it's in the daq section on the main guide.

Also, I am just using a different path for rules, I solved it by removing the community rules from the snort.lua since the file snort3-community.rules is no longer in the ruleset downloaded from snort.

1 Like

I don't have wiki access yet, but it's on my list...

Note that if you use Snort inline with afpacket no traffic can drop only reject works halfway with Tcp thereby the "dangerous" packets are let through but the connection is terminated by the reset that Snort sends. At the moment Snort only works with the Nfq method right.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.