[Snort-users] Broken snort rule

Paul Schmehl pschmehl_lists at ...14358...
Tue Oct 7 10:11:12 EDT 2008


--On Tuesday, October 07, 2008 08:06:49 -0500 James Lay 
<jlay at ...13475...> wrote:

>
> FYI
>
>> Subject: Oct  7 06:30:58 gateway snort[21619]: FATAL ERROR:
>> /chroot/snort/etc/snort/rules/emerging-compromised.rules(119) => Empty IP
>> used either as source IP or as destination IP in a rule. IP list: [].
>
> alert ip [] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or/
> Hostile Host Traffic (76)";/
> reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts;/
> threshold: type limit, track by_src, seconds 60, count 1;/
> classtype:misc-attack; sid:2500075; rev:1292;)
>

Hardly anyone has better error messages than snort.  (Thanks, Marty.)  The 
error message is telling you *exactly* what is wrong, viz. "Empty IP used 
either as source IP or as destination IP in a rule.  IP list: []."

The rule reads alert ip ***[]***.

The IP list is empty, just as the error message states.  The basic format of a 
snort rule is:

action (alert,activate,log,pass,dynamic,drop,reject,sdrop)
protocol (ip,tcp,udp,icmp)
source ip
source port
direction of flow
destination ip
destination port
rule particulars (msg,content,classtype,sid,rev, etc.)

In this case, the source ip is [], which is an empty IP list.  IP lists are 
generally enclosed in brackets thus:
[192.168.0.1/24,192.168.0.2/24].

I would recommend commenting the rule out.  It's basically worthless anyway. 
It will create one alert per second for *any* traffic that passes snort.  It 
looks like a test rule to confirm that snort is seeing traffic.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.





More information about the Snort-users mailing list