[Snort-users] @empty rules files

waldo kitty wkitty42 at ...14940...
Thu Nov 14 05:46:13 EST 2013

On 11/14/2013 5:16 AM, anagha b wrote:
> I tried to log the snort response for icmp ping flood but I have to add the rule in
> local.rules file
> alert icmp any any -> any any (msg:"*ICMP test*"; classtype:bad-unknown;
> sid:10000016; rev:1;)
> barnyard giving following alert
> 11/14-15:22:01.905477  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
> 11/14-15:22:02.036260  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
> 11/14-15:22:02.037893  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
> 11/14-15:22:02.189336  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
> msg*icmp test* is not displayed .

this is because the sid-msg.map file is not updated with the sid, msg and other 
information... you have to update your sid-msg.map file...

> I checked  rule files are empty like ddos.rules , badtraffic.rules
> Is it okay to have empty rule files ?

yes... it generally means there are no rules in that 'category'...

> I am not getting log inside snort.log.
> When I am not specifying rule inside local.rules.

have you tried the steps outlined in the FAQ for "no alerts"?

> Or I have to specify my rules inside these empty files ? But I can include my
> file in snort.conf by writing my own rules then why to keep these empty files?
> or  the snort-snapshot for rules is not properly extracted?

we cannot tell from your description... yes, you can specify rules in the 
conf... but this is not a very good thing to do which is why other files are 
included via the conf... can you provide a dir listing of your rules directory 
so we can at least see what files you have with their sizes and dates?

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list