[Snort-devel] File magic rules for 2.9.6, what options are required?

Joshua Kinard kumba at ...2185...
Thu Dec 26 15:41:18 EST 2013


Doing a quick glance at the new file magic "rules" that one can specify in
2.9.6 RC, I am not directly seeing a definition of which of the options are
required and which aren't.

So far, it looks like I can write this:
    file type:FOO;

And ~/bin/snort -c local.rules -T parses w/o error.

Logically, my guess is that the following option keywords are going to be
required for a 'file' definition to work correctly:
    type
    id
    msg
    content

With these being optional:
    ver
    category
    group (required only if >1 definition of 'type')
    offset (assumed 0 if not specified)
    rev (assumed 1 if not specified)

Does this sound about right?


Also, doc/README.file, there's two minor errors on lines 241 and 243.  First
is the use of "smart quotes" on the 'msg' keyword and 'sid' instead of 'id'.
 Someone wrote part of this in MS Office, didn't they? :)

--J




More information about the Snort-devel mailing list