[Snort-devel] File magic rules for 2.9.6, what options are required?

Joshua Kinard kumba at ...2185...
Thu Dec 26 15:41:18 EST 2013

Doing a quick glance at the new file magic "rules" that one can specify in
2.9.6 RC, I am not directly seeing a definition of which of the options are
required and which aren't.

So far, it looks like I can write this:
    file type:FOO;

And ~/bin/snort -c local.rules -T parses w/o error.

Logically, my guess is that the following option keywords are going to be
required for a 'file' definition to work correctly:

With these being optional:
    group (required only if >1 definition of 'type')
    offset (assumed 0 if not specified)
    rev (assumed 1 if not specified)

Does this sound about right?

Also, doc/README.file, there's two minor errors on lines 241 and 243.  First
is the use of "smart quotes" on the 'msg' keyword and 'sid' instead of 'id'.
 Someone wrote part of this in MS Office, didn't they? :)


More information about the Snort-devel mailing list