Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort doc error (?) - rule option not optional?

From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 8 Mar 2013 13:45:25 -0500
On Fri, Mar 8, 2013 at 12:19 PM, Ricky Huang <rhuang.work () gmail com> wrote:


Thank you YM and Russ, my response below.

On Mar 8, 2013, at 7:44 AM, Russ Combs <rcombs () sourcefire com> wrote:


On Fri, Mar 8, 2013 at 3:38 AM, Y M <snort () outlook com> wrote:


 As far as I understand, the -T validates only the conf file of snort,
and not the rules.



`snort -c snort.conf -T` validates the whole snort configuration.  Any
included files, such as rules files, are validated as well.



A rule must have an sid; which uniquely identifies each rule, it is a
requirement.



This is essentially true, but if you forget to include a sid, it will
default to zero.  And if multiple rules have the same sid, the one with the
highest revision will be used.

You will see "WARNING"s under "Initializing rule chains..." if any of that
is going on when Snort starts up.



It was more than a warning - if I forgot to specify a SID, like so:
alert ICMP any any -> $HOME_NET any (msg:"Shut this rule off, it works
now";)

Snort *dies* on a *fatal error*:
Initializing rule chains...
ERROR: ./rules/rhuang.rules(1) Each rule must contain a rule sid.
Fatal Error, Quitting..

Fatal error is not a Warning...

1) I am fine with SID being a requirement, it was just not mentioned in
the documentation.  Again, http://manual.snort.org/node28.html, says:
"Note that the rule options section is not specifically required by any
rule, they are just used for the sake of making tighter definitions…"
therefore I claim this as an error in documentation as it could have had a
clause:
"If any options were provided, a SID will be a require field"



You are running w/o -T.



2) If it's true that -T validates all included files, why isn't something
that causes a Fatal error caught?



OK - snort -T validates the conf but accepts rules w/o sid, defaulting the
sid to zero.  Drop the -T and you get a fatal error.  W/or w/o -T,
duplicate sid rules are resolved by selecting the highest rev.

Not sure if there still is a use case for -T accepting rules without sid.
I'll check and put in a bug assuming that isn't required.

Thanks
Russ



Please keep in mind that I am a brand-new user to Snort, some things that
are obvious to the pro's are not really so to me unless they're explicitly
documented somewhere.


Thanks again to all those that have responded!




YM
 ------------------------------
From: Ricky Huang <rhuang.work () gmail com>
Sent: 3/7/2013 3:24 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort doc error (?) - rule option not optional?

 Hi all,

 According to the rule doc (http://manual.snort.org/node28.html),

Note that the rule options section is not specifically required by any
rule, they are just used for the sake of making tighter definitions of
packets to collect or alert on (or drop, for that matter).


 So I created a rule,

alert ICMP any any -> any any (msg:"Shut this rule off, it works now";)

 which is included by snort.conf

 If I run snort in test mode,

snort -T -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf


 it outputs success,

 Snort successfully validated the configuration!
Snort exiting


 Yet if I run it for production,

snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf


 it stops with the error,

 Initializing rule chains...
ERROR: ./rules/myrules.rules(1) Each rule must contain a rule sid.
Fatal Error, Quitting..


 If I change my rule to:

alert ICMP any any -> any any


 It validates and starts fine.

 Here's my Snort built info:

 # snort -V

    ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.4 GRE (Build 40) FreeBSD
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.5



 So I am wondering:
  1) The optional section is not completely optional (?)
  2)  If there's indeed a requirement, why doesn't -T catch it?


 Thanks!


------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!






------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: