Re: Snort doc error (?) - rule option not optional?

[Ricky Huang <rhuang.work () gmail com>]

On Mar 8, 2013, at 10:45 AM, Russ Combs <rcombs () sourcefire com> wrote:

> [… snip …]
>
> 2) If it's true that -T validates all included files, why isn't something that causes a Fatal error caught?
>
> OK - snort -T validates the conf but accepts rules w/o sid, defaulting the sid to zero.  Drop the -T and you get a 
> fatal error.  W/or w/o -T, duplicate sid rules are resolved by selecting the highest rev.

Exactly!  Apologies if I hadn't been more clear earlier.

> Not sure if there still is a use case for -T accepting rules without sid.  I'll check and put in a bug assuming that 
> isn't required.

Thank you!


> Thanks
> Russ 
>
> Please keep in mind that I am a brand-new user to Snort, some things that are obvious to the pro's are not really so 
> to me unless they're explicitly documented somewhere.
>
>
> Thanks again to all those that have responded!
>
>
> > YM
> > From: Ricky Huang
> > Sent: 3/7/2013 3:24 AM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Snort doc error (?) - rule option not optional?
> >
> > Hi all,
> >
> > According to the rule doc (http://manual.snort.org/node28.html), 
> > > Note that the rule options section is not specifically required by any rule, they are just used for the sake of 
> > > making tighter definitions of packets to collect or alert on (or drop, for that matter).
> >
> >
> > So I created a rule,
> > > alert ICMP any any -> any any (msg:"Shut this rule off, it works now";)
> >
> > which is included by snort.conf
> >
> > If I run snort in test mode,
> > > snort -T -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf
> >
> >
> > it outputs success,
> > > Snort successfully validated the configuration!
> > > Snort exiting
> >
> > Yet if I run it for production,
> > > snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf
> >
> >
> > it stops with the error,
> > > Initializing rule chains...
> > > ERROR: ./rules/myrules.rules(1) Each rule must contain a rule sid.
> > > Fatal Error, Quitting..
> >
> > If I change my rule to:
> > > alert ICMP any any -> any any
> >
> >
> > It validates and starts fine.
> >
> > Here's my Snort built info:
> > > # snort -V
> > >
> > >    ,,_     -*> Snort! <*-
> > >   o"  )~   Version 2.9.4 GRE (Build 40) FreeBSD
> > >    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
> > >            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
> > >            Using libpcap version 1.1.1
> > >            Using PCRE version: 8.31 2012-07-06
> > >            Using ZLIB version: 1.2.5
> >
> >
> > So I am wondering:
> >   1) The optional section is not completely optional (?)
> >   2)  If there's indeed a requirement, why doesn't -T catch it?
> >
> >
> > Thanks!
> >
> > ------------------------------------------------------------------------------
> > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> > endpoint security space. For insight on selecting the right partner to
> > tackle endpoint security challenges, access the full report.
> > http://p.sf.net/sfu/symantec-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!