[Snort-devel] Bug in 220.127.116.11?
steve.sturges at ...402...
Fri Feb 5 15:03:03 EST 2010
While this is a subtle sytax error, the reason it is
not specifically noted with the -T is a conscious one.
When reading a conf and parsing with -T, Snort allow for
Rules to not have SIDs specified, to check the validity of
the rule's detection options (contents, byte_test, pcre, etc).
That requirement is enforced when the -T is not present with
more recent versions of Snort that require all rules must
have a unique SID. Earlier versions allow this.
To maintain backwards compatibility with 'Test Mode', Snort
allows this with the -T, but generates a run-time error
> i was playing around with snort 18.104.22.168 and
> discovered (probably) a bug:
> when misspelling a rule like the following
> (watch the missing ; after the reference)
> alert .... ( ... reference,url:www.some.url sid:12345678;)
> the command snort -T -c /etc/snort/snort.conf did not
> show any errors, while startings snort via init-script
> (that calls /usr/sbin/snort -D -c /etc/snort/snort.conf)
> lead to a non-starting snort, due to this error.
More information about the Snort-devel