Snort mailing list archives

Re: Broken snort rule

From: Matt Jonkman <jonkman () jonkmans com>
Date: Tue, 07 Oct 2008 17:16:42 -0400

How about unescaped colons and semicolons, etc?

Thanks for the info Matt. I hadn't seen that option. Time to upgrade.

Matt

Matt Olney wrote:

Actually, in snort 2.8.3.3 <http://2.8.3.3>, the -x control:

-x         Exit if Snort configuration problems occur

will fail out on many common rule problems.   For example, duplicate sids.

Matt

On Tue, Oct 7, 2008 at 2:30 PM, Paul Schmehl <pauls () utdallas edu
<mailto:pauls () utdallas edu>> wrote:

    --On Tuesday, October 07, 2008 11:48:45 -0500 Matt Jonkman
    <jonkman () jonkmans com <mailto:jonkman () jonkmans com>> wrote:


        Cool, I had stopped testing of the autogenerated rules because
        it didn't
        seem to be of much use. Will turn that back on.

        Is there an easy way to parse the other rules though for more subtle
        errors? Or force verbosity to get it to tell us about rules ignored?


    does # snort -Tvvvvvv not do the trick?

    -- 
    Paul Schmehl (pauls () utdallas edu <mailto:pauls () utdallas edu>)
    Senior Information Security Analyst
    The University of Texas at Dallas
    http://www.utdallas.edu/ir/security/


-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Broken snort rule James Lay (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)
  - Re: Broken snort rule Brian Caswell (Oct 07)
    - Re: Broken snort rule Matt Jonkman (Oct 07)
    - Re: Broken snort rule Matt Olney (Oct 07)
    - Re: Broken snort rule Matt Jonkman (Oct 07)
    - Message not available
    - Re: Broken snort rule Matt Olney (Oct 07)
    - Re: Broken snort rule Matt Olney (Oct 07)
    - Re: Broken snort rule Matt Jonkman (Oct 07)
    - Message not available
    - Re: Broken snort rule Matt Jonkman (Oct 07)
    - Re: Broken snort rule Markus Lude (Oct 07)
- Re: Broken snort rule Paul Schmehl (Oct 07)
- Re: Broken snort rule Matt Olney (Oct 07)
- Re: Broken snort rule Jeff Jarmoc (Oct 07)