[Snort-sigs] Beginner Rule Problem

Joel Esler jesler at ...435...
Fri Oct 11 14:19:38 EDT 2013


On Oct 10, 2013, at 9:56 PM, wkitty42 at ...3507... wrote:
> On Thursday, October 10, 2013 2:08 PM, Kodiak80 <kodiak80 at ...2420...> wrote: 
>> I finally got my issue resolved with help over on the pfSense forums.  In case 
>> anyone else runs into a similar problem, I was missing a classification in my 
>> rule.  Once I added a 'classtype: inappropriate-content', the rule worked as 
>> expected.  Not sure if that is a general Snort requirement, or unique to the 
>> pfSense Snort install.  Thanks to those offering help. 
> 
> snort does not complain about basic rules that do not include such things as SID, MSG and apparently classtype... there may be others...
> 
> NOTE to snort development team: please cause snort to error on rules that do not conform to basics and report exactly why the rule is being complained about... :)

It'll error on SID.  Classtype isn’t required, but apparently in pfsense it is.  MSG isn’t required, I’ll have a discussion about if we should make it required.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
AEGIS Intelligence Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131011/c399d712/attachment.html>


More information about the Snort-sigs mailing list