[Snort-users] Snort doc error (?) - rule option not optional?

Russ Combs rcombs at ...1935...
Fri Mar 8 10:44:44 EST 2013


On Fri, Mar 8, 2013 at 3:38 AM, Y M <snort at ...15979...> wrote:

>  As far as I understand, the -T validates only the conf file of snort,
> and not the rules.
>

`snort -c snort.conf -T` validates the whole snort configuration.  Any
included files, such as rules files, are validated as well.


>
> A rule must have an sid; which uniquely identifies each rule, it is a
> requirement.
>

This is essentially true, but if you forget to include a sid, it will
default to zero.  And if multiple rules have the same sid, the one with the
highest revision will be used.

You will see "WARNING"s under "Initializing rule chains..." if any of that
is going on when Snort starts up.

>
> YM
>  ------------------------------
> From: Ricky Huang <rhuang.work at ...11827...>
> Sent: 3/7/2013 3:24 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort doc error (?) - rule option not optional?
>
>  Hi all,
>
>  According to the rule doc (http://manual.snort.org/node28.html),
>
> Note that the rule options section is not specifically required by any
> rule, they are just used for the sake of making tighter definitions of
> packets to collect or alert on (or drop, for that matter).
>
>
>  So I created a rule,
>
> alert ICMP any any -> any any (msg:"Shut this rule off, it works now";)
>
>  which is included by snort.conf
>
>  If I run snort in test mode,
>
> snort -T -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf
>
>
>  it outputs success,
>
>  Snort successfully validated the configuration!
> Snort exiting
>
>
>  Yet if I run it for production,
>
> snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf
>
>
>  it stops with the error,
>
>  Initializing rule chains...
> ERROR: ./rules/myrules.rules(1) Each rule must contain a rule sid.
> Fatal Error, Quitting..
>
>
>  If I change my rule to:
>
> alert ICMP any any -> any any
>
>
>  It validates and starts fine.
>
>  Here's my Snort built info:
>
>  # snort -V
>
>     ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4 GRE (Build 40) FreeBSD
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.5
>
>
>
>  So I am wondering:
>   1) The optional section is not completely optional (?)
>   2)  If there's indeed a requirement, why doesn't -T catch it?
>
>
>  Thanks!
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130308/a494534f/attachment.html>


More information about the Snort-users mailing list