Snort3 (though beta) on OpenWrt?


did anyone try (or is anyone trying) to have opkg package snort3 fully working on OpenWrt ?

I did install it via opkg, it apparently works fine if I let it run without it's full config, i.e. running it from command line directly from the bin exec (not init script), with most of its params but not the config file:

root@OpenWrt:/etc/snort/etc# /usr/bin/snort -v --daq-dir /usr/lib/daq/ -i br-lan -R /etc/snort/rules/local.rules -A alert_fast -s 65535 -k none  -l /log/snort/ -T
o")~   Snort++ 3.0.0-247
Loading rules:
Loading /etc/snort/rules/local.rules:
Finished /etc/snort/rules/local.rules.
Finished rules.
rule counts
       total rules loaded: 1
               text rules: 1
            option chains: 1
            chain headers: 1
port rule counts
             tcp     udp    icmp      ip
     any       0       0       1       0
   total       0       0       1       0
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

where my custom local.rules file includes only the classic ICMP test rule. And if I let it really run, it works by detecting my test pings.
The problem arises when I feed it the default snort config (taken from the snort website along with the registered ruleset). That's needed since the opkg package doesn't include a default config to use.
Running it with the config file param, I get this:

Loading /etc/snort/etc/snort.lua:
FATAL: can't init /etc/snort/etc/snort.lua: /etc/snort/etc/snort.lua:30: attempt to call global 'include' (a nil value)
Fatal Error, Quitting..

where the culprit line states:

include 'snort_defaults.lua'

which is a file that does exist, next to the snort.lua config file. I've tried several attempts like forcing the path (no change), commenting the line (config is deemed incomplete), including its content in the snort.lua (no real change), etc. No success so far.

Anyone any hint ?

P.S. Just as a side note, snort 2.9 seems to run finely instead. It's just that most updated guides I've looked at (for my purposes of having a modern working dashboard somewhere) now refer to snort3 nowadays, and it actually deserve some attempts.

Well, I guess this is kind of an answer in itself too: not too many people experimenting with Snort3. Perhaps still to early for it.

Does this help?
I'm a neeb in this, so that is all I can do

websearch... known issue (as of 12-6months ago... situation may have changed since then at least on master)
(that said... i did have some 'overnight' issues running a full config)

have you setup snort3 before on a regular distro?

Just to update that the issue seems to be fixed now.

I retrieved the WRT3200ACM these holidays and updated it with OpenWRT 21.02.1, then re-installed snort3 v3.1.0.0-3 and it seems to work now. I had to tweak the config a bit in order to successfully load the Registered Rules (not the Community ones) from Snort's portal, but it did it.

It still remain to fix the starting of snort through a system service (the provided script under /etc/init.d/ seems not to be working), but the most is actually done.

What I'm working now (before fixing the service issue) is a way to forward the alert file to a log server where I can run a dashboard. I have a mini ubuntu server in my network where I installed Splunk for the purpose, but I still have to make Snort's alert to arrive over there. It looks like syslog-ng can't be installed as is, and while rsyslog did, it misses right the imfile module, needed to monitor a file in the filesystem (before it can be forwarded to an external log server).

Is there any known way to forward a custom (not the system) log file over UDP ?