[Snort-users] Broken snort rule

Paul Schmehl pschmehl_lists at ...14358...
Tue Oct 7 10:11:12 EDT 2008

--On Tuesday, October 07, 2008 08:06:49 -0500 James Lay 
<jlay at ...13475...> wrote:

>> Subject: Oct  7 06:30:58 gateway snort[21619]: FATAL ERROR:
>> /chroot/snort/etc/snort/rules/emerging-compromised.rules(119) => Empty IP
>> used either as source IP or as destination IP in a rule. IP list: [].
> alert ip [] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or/
> Hostile Host Traffic (76)";/
> reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts;/
> threshold: type limit, track by_src, seconds 60, count 1;/
> classtype:misc-attack; sid:2500075; rev:1292;)

Hardly anyone has better error messages than snort.  (Thanks, Marty.)  The 
error message is telling you *exactly* what is wrong, viz. "Empty IP used 
either as source IP or as destination IP in a rule.  IP list: []."

The rule reads alert ip ***[]***.

The IP list is empty, just as the error message states.  The basic format of a 
snort rule is:

action (alert,activate,log,pass,dynamic,drop,reject,sdrop)
protocol (ip,tcp,udp,icmp)
source ip
source port
direction of flow
destination ip
destination port
rule particulars (msg,content,classtype,sid,rev, etc.)

In this case, the source ip is [], which is an empty IP list.  IP lists are 
generally enclosed in brackets thus:

I would recommend commenting the rule out.  It's basically worthless anyway. 
It will create one alert per second for *any* traffic that passes snort.  It 
looks like a test rule to confirm that snort is seeing traffic.

Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
Check the headers before clicking on Reply.

More information about the Snort-users mailing list