[Snort-users] Broken snort rule

Matt Jonkman jonkman at ...4024...
Tue Oct 7 12:48:45 EDT 2008


Cool, I had stopped testing of the autogenerated rules because it didn't
seem to be of much use. Will turn that back on.

Is there an easy way to parse the other rules though for more subtle
errors? Or force verbosity to get it to tell us about rules ignored?

Thanks Matt

Matt

Matt Olney wrote:
> That would be a good idea, but in this case, 2.8 throws a fatal error:
> 
> 
> Initializing rule chains...
> ERROR: /home/molney/etc/rules/local.rules(14) => Empty IP used either as
> source IP or as destination IP in a rule. IP list: [].
> Fatal Error, Quitting..
> 
> 
> So, you should at least be able to test that the rules load.
> 
> Matt
> 
> On Tue, Oct 7, 2008 at 11:11 AM, Matt Jonkman <jonkman at ...4024...
> <mailto:jonkman at ...4024...>> wrote:
> 
>     Yes, it would. But we used to rely on an error report from snort. Now it
>     just ignores and goes on....
> 
>     So no real good automated way to do so. There was talk about a switch to
>     have snort exit on an error. Any traction with that?
> 
>     If you have a good automated way we can use I'd love to hear it.
> 
>     Matt
> 
>     Brian Caswell wrote:
>     > On Tue, Oct 7, 2008 at 9:37 AM, Matt Jonkman <jonkman at ...4024...
>     <mailto:jonkman at ...4024...>
>     > <mailto:jonkman at ...4024... <mailto:jonkman at ...4024...>>> wrote:
>     >
>     >     Thats an issue for emerging-sigs, but thanks for reporting it.
>     >
>     >     Script error not watching for an even number of IPs. Fixed up,
>     can you
>     >     pull again and retest for me?
>     >
>     >
>     > Perhaps it would be a good idea to ... I donno, test the rules before
>     > releasing them?
>     >
>     > Brian
> 
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     --------------------------------------------
> 
>     PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
>     -------------------------------------------------------------------------
>     This SF.Net email is sponsored by the Moblin Your Move Developer's
>     challenge
>     Build the coolest Linux based applications with Moblin SDK & win
>     great prizes
>     Grand prize is a trip for two to an Open Source event anywhere in
>     the world
>     http://moblin-contest.org/redirect.php?banner_id=100&url=/
>     <http://moblin-contest.org/redirect.php?banner_id=100&url=/>
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users
>     <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
>     list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-users mailing list