Re: Snort doc error (?) - rule option not optional?

[Y M <snort () outlook com>]

As far as I understand, the -T validates only the conf file of snort, and not the rules.

A rule must have an sid; which uniquely identifies each rule, it is a requirement.

YM
________________________________
From: Ricky Huang<mailto:rhuang.work () gmail com>
Sent: ‎3/‎7/‎2013 3:24 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Snort doc error (?) - rule option not optional?

Hi all,

According to the rule doc (http://manual.snort.org/node28.html),
> Note that the rule options section is not specifically required by any rule, they are just used for the sake of 
> making tighter definitions of packets to collect or alert on (or drop, for that matter).


So I created a rule,
> alert ICMP any any -> any any (msg:"Shut this rule off, it works now";)

which is included by snort.conf

If I run snort in test mode,
> snort -T -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf


it outputs success,
> Snort successfully validated the configuration!
> Snort exiting

Yet if I run it for production,
> snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf


it stops with the error,
> Initializing rule chains...
> ERROR: ./rules/myrules.rules(1) Each rule must contain a rule sid.
> Fatal Error, Quitting..

If I change my rule to:
> alert ICMP any any -> any any


It validates and starts fine.

Here's my Snort built info:
> # snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4 GRE (Build 40) FreeBSD
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.5


So I am wondering:
  1) The optional section is not completely optional (?)
  2)  If there's indeed a requirement, why doesn't -T catch it?


Thanks!

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!