Snort configuration: why is RULE_PATH undefined?

Question

I am installing and configuring Snort 3 for the first time on CentOS 8 while following the Snort 3.0.3 on CentOS8 manual from Snort's official documentation (I can't link directly to it as it's dynamically generated PDF that can expire after some time).

I am now trying to start Snort on my network interface using the command /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua -i enp37s0 -l /var/log/snort --plugin-path /usr/local/snort/extra -k none with sudo after having generated my rules with PulledPork into a snort.rules file. However, the output this command generates mentions the error FATAL: ips.rules:2 undefined variable name: RULE_PATH while reading my snort.lua file.

The content of the ips array inside my snort.lua file is as follows:

ips =
{
    mode = tap,
    rules = [[
        include $RULE_PATH/snort.rules
    ]]
}

The RULE_PATH variable is defined in the snort_defaults.lua file:

---------------------------------------------------------------------------
-- default paths
---------------------------------------------------------------------------
-- Path to your rules files (this can be a relative path)

RULE_PATH = '../../rules'
BUILTIN_RULE_PATH = '../../builtin_rules'
PLUGIN_RULE_PATH = '../../so_rules'

-- If you are using reputation preprocessor set these
PASS_LIST_PATH = '../../intel'
BLOCK_LIST_PATH = '../../intel'

I don't understand why it would be undefined, because snort_defaults.lua is imported at the beginning of the snort.lua file:

---------------------------------------------------------------------------
-- 2. configure defaults
---------------------------------------------------------------------------

-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = [[ 192.168.1.0/24 ]]

-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = 'any'

-- dofile(conf_dir .. '/snort_defaults.lua')
-- dofile(conf_dir .. '/file_magic.lua')

include 'snort_defaults.lua'
include 'file_magic.lua'

What could be making Snort think that my RULE_PATH variable is undefined?

score 0 · Answer 1 · answered Apr 12 '22 at 02:42

I ran into this same issue when setting up Snort 3.1.25, and it seems the syntax may have been updated over the development period, after that article was written. The issue is with the way the path is set. You want to use:

ips =
{
    mode = tap,
    enable_builtin_rules = true,

    variables = default_variables,
    include = RULE_PATH .. "/snort.rules",
    include = BUILTIN_RULE_PATH .. "/builtins.rules",
}

The syntax needed is GLOBAL_VARIABLE, the Lua Concat Operator "..", and then the string path.

Note: The builtin rules are optional, but just in case...

Snort configuration: why is RULE_PATH undefined?

1 Answers1