[Snort-users] Snort doc error (?) - rule option not optional?

Ricky Huang rhuang.work at ...11827...
Wed Mar 6 19:24:12 EST 2013

Hi all,

According to the rule doc (http://manual.snort.org/node28.html), 
> Note that the rule options section is not specifically required by any rule, they are just used for the sake of making tighter definitions of packets to collect or alert on (or drop, for that matter).

So I created a rule,
> alert ICMP any any -> any any (msg:"Shut this rule off, it works now";)

which is included by snort.conf

If I run snort in test mode,
> snort -T -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf

it outputs success,
> Snort successfully validated the configuration!
> Snort exiting

Yet if I run it for production,
> snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf

it stops with the error,
> Initializing rule chains...
> ERROR: ./rules/myrules.rules(1) Each rule must contain a rule sid.
> Fatal Error, Quitting..

If I change my rule to:
> alert ICMP any any -> any any

It validates and starts fine.

Here's my Snort built info:
> # snort -V
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4 GRE (Build 40) FreeBSD
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.5

So I am wondering:
  1) The optional section is not completely optional (?)
  2)  If there's indeed a requirement, why doesn't -T catch it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130306/edc61b09/attachment.html>

More information about the Snort-users mailing list