snort3 - custom.lua

custom.lua

--These configuration lines will perform the following tasks:
--enables the built-in preproc rules, and snort.rules file
--enables hyperscan as the search engine for pattern matching
--enables the IP reputation blocklist
--enables JSON alerting for snort alerts
--enables appid, the appid listener, and logging appid events.
ips =
{
    enable_builtin_rules = true,

    include = "/usr/local/etc/rules/snort.rules",
    variables = default_variables
}

search_engine = { search_method = "hyperscan" }
detection =
{
    hyperscan_literals = true,
    pcre_to_regex = true
}
reputation =
{
    blocklist = '/usr/local/etc/lists/default.blocklist',
}
alert_json =
{
    file = true,
    limit = 1000,
    fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \
    eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \
    pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \
    target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',
}
appid =
{
    app_detector_dir = '/usr/local/lib',
}
appid_listener =
{
    json_logging = true,
    file = "/var/log/snort/appid-output.log",
}

Hey folks, this is a snort3 lua configuration file, custom.lua. This file is designed to be used along side my snort 3 installation guide for debian-based distributions. The comments in the file are pretty self-explanation and detail what exactly the configuration file is designed to do.

place the custom.lua file into the /usr/local/etc/snort/custom.lua, then run the command:

echo "include 'custom.lua'" >> /usr/local/etc/snort/snort.lua

or alternatively, using your favorite text editor, add the line:

include 'custom.lua'

to the very end of the snort.lua file manually.

For the configuration options defined here to take effect.