[Snort-users] Snort 2.4.0 self-test mode

Wolf, Brian Brian.Wolf at ...12180...
Mon Aug 22 09:57:02 EDT 2005


Has the self-test function changed in Snort 2.4.0?  It doesn't seem to
be catching bad rule syntax, etc.  

I deliberately inserted a bad rule in web-misc.rules:

	# Deliberate INVALID RULE (missing source port) to see if snort
-T (validatation mode) catches it
	alert tcp  165.199.0.0/16 -> any any  ( msg:"VALIDATION TEST" ;
classtype=not-suspicious; rev:1;)


Snort 2.4.0 didn't catch the bad rule:


	bin/snort -c snort.conf -T
	***
	*** interface device lookup found: eth0
	***
	Running in Test mode with config file: snort.conf

	        --== Initializing Snort ==--
	Initializing Output Plugins!
	Decoding LoopBack on interface eth0

	        --== Initialization Complete ==--

	   ,,_     -*> Snort! <*-
	  o"  )~   Version 2.4.0 (Build 18)
	   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
	           (C) Copyright 1998-2005 Sourcefire Inc., et al.


	Snort sucessfully loaded all rules and checked all rule chains!
	Snort exiting





Snort 2.3.3 catches it, plus it displays a lot more diagnostic info:


	bin/snort.2.3.3 -c snort.conf-2.3.3 -T
	Running in IDS mode

	Initializing Network Interface eth0

	        --== Initializing Snort ==--
	Initializing Output Plugins!
	Decoding Ethernet on interface eth0
	Initializing Preprocessors!
	Initializing Plug-ins!
	Parsing Rules file snort.conf-2.3.3

	+++++++++++++++++++++++++++++++++++++++++++++++++++
	Initializing rule chains...

	[... a lot more info snipped ...]

	ERROR: Warning: ./rules/local/local.rules(215) => Unknown
keyword ' resp' in rule!
	Fatal Error, Quitting..



Both config files specify the same rule path and include web-misc.rules
( I tried absolute paths, too):

	snort.conf:var RULE_PATH ./rules
	snort.conf:include $RULE_PATH/web-misc.rules

	snort.conf-2.3.3:var RULE_PATH ./rules
	snort.conf-2.3.3:include $RULE_PATH/web-misc.rules
	

I tried adding the -v (verbose) switch to the 2.4.0 line, but that
didn't help.  

If I try to start snort in normal mode with the bad rule still in place,
2.4.0 DOES report the bad rule and dies.  Once I correct the rule, it
runs correctly. 

I also tried including a non-existent rule file in the 2.4.0 config
file, and self-test didn't catch that, either.


Did I miss a build switch?  I used this configure statement:

./configure --with-snmp --with-mysql --exec-prefix=/usr/local/snort
--enable-flexresp


Thanks for any assistance.


- Brian 











More information about the Snort-users mailing list