[Snort-users] Snort doc error (?) - rule option not optional?

Russ Combs rcombs at ...1935...
Fri Mar 8 13:45:25 EST 2013


On Fri, Mar 8, 2013 at 12:19 PM, Ricky Huang <rhuang.work at ...11827...> wrote:

> Thank you YM and Russ, my response below.
>
> On Mar 8, 2013, at 7:44 AM, Russ Combs <rcombs at ...1935...> wrote:
>
>
> On Fri, Mar 8, 2013 at 3:38 AM, Y M <snort at ...15979...> wrote:
>
>>  As far as I understand, the -T validates only the conf file of snort,
>> and not the rules.
>>
>
> `snort -c snort.conf -T` validates the whole snort configuration.  Any
> included files, such as rules files, are validated as well.
>
>
>> A rule must have an sid; which uniquely identifies each rule, it is a
>> requirement.
>>
>
> This is essentially true, but if you forget to include a sid, it will
> default to zero.  And if multiple rules have the same sid, the one with the
> highest revision will be used.
>
> You will see "WARNING"s under "Initializing rule chains..." if any of that
> is going on when Snort starts up.
>
>
>
> It was more than a warning - if I forgot to specify a SID, like so:
> alert ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works
> now";)
>
> Snort *dies* on a *fatal error*:
> Initializing rule chains...
> ERROR: ./rules/rhuang.rules(1) Each rule must contain a rule sid.
> Fatal Error, Quitting..
>
> Fatal error is not a Warning...
>
> 1) I am fine with SID being a requirement, it was just not mentioned in
> the documentation.  Again, http://manual.snort.org/node28.html, says:
> "Note that the rule options section is not specifically required by any
> rule, they are just used for the sake of making tighter definitions…"
> therefore I claim this as an error in documentation as it could have had a
> clause:
> "If any options were provided, a SID will be a require field"
>

You are running w/o -T.

>
> 2) If it's true that -T validates all included files, why isn't something
> that causes a Fatal error caught?
>

OK - snort -T validates the conf but accepts rules w/o sid, defaulting the
sid to zero.  Drop the -T and you get a fatal error.  W/or w/o -T,
duplicate sid rules are resolved by selecting the highest rev.

Not sure if there still is a use case for -T accepting rules without sid.
I'll check and put in a bug assuming that isn't required.

Thanks
Russ

>
> Please keep in mind that I am a brand-new user to Snort, some things that
> are obvious to the pro's are not really so to me unless they're explicitly
> documented somewhere.
>
>
> Thanks again to all those that have responded!
>
>
>
>> YM
>>  ------------------------------
>> From: Ricky Huang <rhuang.work at ...11827...>
>> Sent: 3/7/2013 3:24 AM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Snort doc error (?) - rule option not optional?
>>
>>  Hi all,
>>
>>  According to the rule doc (http://manual.snort.org/node28.html),
>>
>> Note that the rule options section is not specifically required by any
>> rule, they are just used for the sake of making tighter definitions of
>> packets to collect or alert on (or drop, for that matter).
>>
>>
>>  So I created a rule,
>>
>> alert ICMP any any -> any any (msg:"Shut this rule off, it works now";)
>>
>>  which is included by snort.conf
>>
>>  If I run snort in test mode,
>>
>> snort -T -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf
>>
>>
>>  it outputs success,
>>
>>  Snort successfully validated the configuration!
>> Snort exiting
>>
>>
>>  Yet if I run it for production,
>>
>> snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf
>>
>>
>>  it stops with the error,
>>
>>  Initializing rule chains...
>> ERROR: ./rules/myrules.rules(1) Each rule must contain a rule sid.
>> Fatal Error, Quitting..
>>
>>
>>  If I change my rule to:
>>
>> alert ICMP any any -> any any
>>
>>
>>  It validates and starts fine.
>>
>>  Here's my Snort built info:
>>
>>  # snort -V
>>
>>     ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.4 GRE (Build 40) FreeBSD
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>            Using libpcap version 1.1.1
>>            Using PCRE version: 8.31 2012-07-06
>>            Using ZLIB version: 1.2.5
>>
>>
>>
>>  So I am wondering:
>>   1) The optional section is not completely optional (?)
>>   2)  If there's indeed a requirement, why doesn't -T catch it?
>>
>>
>>  Thanks!
>>
>>
>> ------------------------------------------------------------------------------
>> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
>> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
>> endpoint security space. For insight on selecting the right partner to
>> tackle endpoint security challenges, access the full report.
>> http://p.sf.net/sfu/symantec-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130308/9c74cc69/attachment.html>


More information about the Snort-users mailing list