Snort mailing list archives
Re: Snort doc error (?) - rule option not optional?
From: Ricky Huang <rhuang.work () gmail com>
Date: Fri, 8 Mar 2013 11:01:05 -0800
On Mar 8, 2013, at 10:45 AM, Russ Combs <rcombs () sourcefire com> wrote:
[… snip …] 2) If it's true that -T validates all included files, why isn't something that causes a Fatal error caught? OK - snort -T validates the conf but accepts rules w/o sid, defaulting the sid to zero. Drop the -T and you get a fatal error. W/or w/o -T, duplicate sid rules are resolved by selecting the highest rev.
Exactly! Apologies if I hadn't been more clear earlier.
Not sure if there still is a use case for -T accepting rules without sid. I'll check and put in a bug assuming that isn't required.
Thank you!
Thanks Russ Please keep in mind that I am a brand-new user to Snort, some things that are obvious to the pro's are not really so to me unless they're explicitly documented somewhere. Thanks again to all those that have responded!YM From: Ricky Huang Sent: 3/7/2013 3:24 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort doc error (?) - rule option not optional? Hi all, According to the rule doc (http://manual.snort.org/node28.html),Note that the rule options section is not specifically required by any rule, they are just used for the sake of making tighter definitions of packets to collect or alert on (or drop, for that matter).So I created a rule,alert ICMP any any -> any any (msg:"Shut this rule off, it works now";)which is included by snort.conf If I run snort in test mode,snort -T -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.confit outputs success,Snort successfully validated the configuration! Snort exitingYet if I run it for production,snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.confit stops with the error,Initializing rule chains... ERROR: ./rules/myrules.rules(1) Each rule must contain a rule sid. Fatal Error, Quitting..If I change my rule to:alert ICMP any any -> any anyIt validates and starts fine. Here's my Snort built info:# snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.4 GRE (Build 40) FreeBSD '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.5So I am wondering: 1) The optional section is not completely optional (?) 2) If there's indeed a requirement, why doesn't -T catch it? Thanks! ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort doc error (?) - rule option not optional? Ricky Huang (Mar 06)
- <Possible follow-ups>
- Re: Snort doc error (?) - rule option not optional? Y M (Mar 08)
- Re: Snort doc error (?) - rule option not optional? Russ Combs (Mar 08)
- Re: Snort doc error (?) - rule option not optional? Ricky Huang (Mar 08)
- Re: Snort doc error (?) - rule option not optional? Russ Combs (Mar 08)
- Re: Snort doc error (?) - rule option not optional? Ricky Huang (Mar 08)
- Re: Snort doc error (?) - rule option not optional? Russ Combs (Mar 08)