Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort 2.4.0 self-test mode

From: "Wolf, Brian" <Brian.Wolf () richardson k12 tx us>
Date: Mon, 22 Aug 2005 11:56:09 -0500
Has the self-test function changed in Snort 2.4.0?  It doesn't seem to
be catching bad rule syntax, etc.  

I deliberately inserted a bad rule in web-misc.rules:

        # Deliberate INVALID RULE (missing source port) to see if snort
-T (validatation mode) catches it
        alert tcp  165.199.0.0/16 -> any any  ( msg:"VALIDATION TEST" ;
classtype=not-suspicious; rev:1;)


Snort 2.4.0 didn't catch the bad rule:


        bin/snort -c snort.conf -T
        ***
        *** interface device lookup found: eth0
        ***
        Running in Test mode with config file: snort.conf

                --== Initializing Snort ==--
        Initializing Output Plugins!
        Decoding LoopBack on interface eth0

                --== Initialization Complete ==--

           ,,_     -*> Snort! <*-
          o"  )~   Version 2.4.0 (Build 18)
           ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
                   (C) Copyright 1998-2005 Sourcefire Inc., et al.


        Snort sucessfully loaded all rules and checked all rule chains!
        Snort exiting





Snort 2.3.3 catches it, plus it displays a lot more diagnostic info:


        bin/snort.2.3.3 -c snort.conf-2.3.3 -T
        Running in IDS mode

        Initializing Network Interface eth0

                --== Initializing Snort ==--
        Initializing Output Plugins!
        Decoding Ethernet on interface eth0
        Initializing Preprocessors!
        Initializing Plug-ins!
        Parsing Rules file snort.conf-2.3.3

        +++++++++++++++++++++++++++++++++++++++++++++++++++
        Initializing rule chains...

        [... a lot more info snipped ...]

        ERROR: Warning: ./rules/local/local.rules(215) => Unknown
keyword ' resp' in rule!
        Fatal Error, Quitting..



Both config files specify the same rule path and include web-misc.rules
( I tried absolute paths, too):

        snort.conf:var RULE_PATH ./rules
        snort.conf:include $RULE_PATH/web-misc.rules

        snort.conf-2.3.3:var RULE_PATH ./rules
        snort.conf-2.3.3:include $RULE_PATH/web-misc.rules
        

I tried adding the -v (verbose) switch to the 2.4.0 line, but that
didn't help.  

If I try to start snort in normal mode with the bad rule still in place,
2.4.0 DOES report the bad rule and dies.  Once I correct the rule, it
runs correctly. 

I also tried including a non-existent rule file in the 2.4.0 config
file, and self-test didn't catch that, either.


Did I miss a build switch?  I used this configure statement:

./configure --with-snmp --with-mysql --exec-prefix=/usr/local/snort
--enable-flexresp


Thanks for any assistance.


- Brian 









-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: