[Snort-users] Snort doc error (?) - rule option not optional?
rhuang.work at ...11827...
Wed Mar 6 19:24:12 EST 2013
According to the rule doc (http://manual.snort.org/node28.html),
> Note that the rule options section is not specifically required by any rule, they are just used for the sake of making tighter definitions of packets to collect or alert on (or drop, for that matter).
So I created a rule,
> alert ICMP any any -> any any (msg:"Shut this rule off, it works now";)
which is included by snort.conf
If I run snort in test mode,
> snort -T -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf
it outputs success,
> Snort successfully validated the configuration!
> Snort exiting
Yet if I run it for production,
> snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf
it stops with the error,
> Initializing rule chains...
> ERROR: ./rules/myrules.rules(1) Each rule must contain a rule sid.
> Fatal Error, Quitting..
If I change my rule to:
> alert ICMP any any -> any any
It validates and starts fine.
Here's my Snort built info:
> # snort -V
> ,,_ -*> Snort! <*-
> o" )~ Version 2.9.4 GRE (Build 40) FreeBSD
> '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
> Copyright (C) 1998-2012 Sourcefire, Inc., et al.
> Using libpcap version 1.1.1
> Using PCRE version: 8.31 2012-07-06
> Using ZLIB version: 1.2.5
So I am wondering:
1) The optional section is not completely optional (?)
2) If there's indeed a requirement, why doesn't -T catch it?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users