[Snort-devel] Bug in 2.8.4.1?

Steven Sturges steve.sturges at ...402...
Fri Feb 5 15:03:03 EST 2010


While this is a subtle sytax error, the reason it is
not specifically noted with the -T is a conscious one.

When reading a conf and parsing with -T, Snort allow for
Rules to not have SIDs specified, to check the validity of
the rule's detection options (contents, byte_test, pcre, etc).

That requirement is enforced when the -T is not present with
more recent versions of Snort that require all rules must
have a unique SID.  Earlier versions allow this.

To maintain backwards compatibility with 'Test Mode', Snort
allows this with the -T, but generates a run-time error
without it.

Cheers.
-steve

mex wrote:
> hi,
> 
> i was playing around with snort 2.8.4.1 and 
> discovered (probably) a bug:
> 
> when misspelling a rule like the following
> (watch the missing ; after the reference)  
> 
> alert .... ( ... reference,url:www.some.url sid:12345678;)
> 
> the command snort -T -c /etc/snort/snort.conf did not
> show any errors, while startings snort via init-script
> (that calls  /usr/sbin/snort -D -c /etc/snort/snort.conf)
> lead to a non-starting snort, due to this error.
> 
> 
> mex





More information about the Snort-devel mailing list