[Snort-users] Snort doc error (?) - rule option not optional?

Y M snort at ...15979...
Fri Mar 8 03:38:46 EST 2013


As far as I understand, the -T validates only the conf file of snort, and not the rules.

A rule must have an sid; which uniquely identifies each rule, it is a requirement.

YM
________________________________
From: Ricky Huang<mailto:rhuang.work at ...11827...>
Sent: ‎3/‎7/‎2013 3:24 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] Snort doc error (?) - rule option not optional?

Hi all,

According to the rule doc (http://manual.snort.org/node28.html),
> Note that the rule options section is not specifically required by any rule, they are just used for the sake of making tighter definitions of packets to collect or alert on (or drop, for that matter).


So I created a rule,
> alert ICMP any any -> any any (msg:"Shut this rule off, it works now";)

which is included by snort.conf

If I run snort in test mode,
> snort -T -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf


it outputs success,
> Snort successfully validated the configuration!
> Snort exiting

Yet if I run it for production,
> snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf


it stops with the error,
> Initializing rule chains...
> ERROR: ./rules/myrules.rules(1) Each rule must contain a rule sid.
> Fatal Error, Quitting..

If I change my rule to:
> alert ICMP any any -> any any


It validates and starts fine.

Here's my Snort built info:
> # snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4 GRE (Build 40) FreeBSD
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.5


So I am wondering:
  1) The optional section is not completely optional (?)
  2)  If there's indeed a requirement, why doesn't -T catch it?


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130308/915feb51/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
-------------- next part --------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list