[Snort-users] Broken snort rule
pschmehl_lists at ...14358...
Tue Oct 7 10:11:12 EDT 2008
--On Tuesday, October 07, 2008 08:06:49 -0500 James Lay
<jlay at ...13475...> wrote:
>> Subject: Oct 7 06:30:58 gateway snort: FATAL ERROR:
>> /chroot/snort/etc/snort/rules/emerging-compromised.rules(119) => Empty IP
>> used either as source IP or as destination IP in a rule. IP list: .
> alert ip  any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or/
> Hostile Host Traffic (76)";/
> threshold: type limit, track by_src, seconds 60, count 1;/
> classtype:misc-attack; sid:2500075; rev:1292;)
Hardly anyone has better error messages than snort. (Thanks, Marty.) The
error message is telling you *exactly* what is wrong, viz. "Empty IP used
either as source IP or as destination IP in a rule. IP list: ."
The rule reads alert ip ******.
The IP list is empty, just as the error message states. The basic format of a
snort rule is:
direction of flow
rule particulars (msg,content,classtype,sid,rev, etc.)
In this case, the source ip is , which is an empty IP list. IP lists are
generally enclosed in brackets thus:
I would recommend commenting the rule out. It's basically worthless anyway.
It will create one alert per second for *any* traffic that passes snort. It
looks like a test rule to confirm that snort is seeing traffic.
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
Check the headers before clicking on Reply.
More information about the Snort-users