Snort mailing list archives
Re: Broken snort rule
From: Matt Jonkman <jonkman () jonkmans com>
Date: Tue, 07 Oct 2008 12:48:45 -0400
Cool, I had stopped testing of the autogenerated rules because it didn't seem to be of much use. Will turn that back on. Is there an easy way to parse the other rules though for more subtle errors? Or force verbosity to get it to tell us about rules ignored? Thanks Matt Matt Matt Olney wrote:
That would be a good idea, but in this case, 2.8 throws a fatal error: Initializing rule chains... ERROR: /home/molney/etc/rules/local.rules(14) => Empty IP used either as source IP or as destination IP in a rule. IP list: []. Fatal Error, Quitting.. So, you should at least be able to test that the rules load. Matt On Tue, Oct 7, 2008 at 11:11 AM, Matt Jonkman <jonkman () jonkmans com <mailto:jonkman () jonkmans com>> wrote: Yes, it would. But we used to rely on an error report from snort. Now it just ignores and goes on.... So no real good automated way to do so. There was talk about a switch to have snort exit on an error. Any traction with that? If you have a good automated way we can use I'd love to hear it. Matt Brian Caswell wrote: > On Tue, Oct 7, 2008 at 9:37 AM, Matt Jonkman <jonkman () jonkmans com <mailto:jonkman () jonkmans com> > <mailto:jonkman () jonkmans com <mailto:jonkman () jonkmans com>>> wrote: > > Thats an issue for emerging-sigs, but thanks for reporting it. > > Script error not watching for an even number of IPs. Fixed up, can you > pull again and retest for me? > > > Perhaps it would be a good idea to ... I donno, test the rules before > releasing them? > > Brian -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ <http://moblin-contest.org/redirect.php?banner_id=100&url=/> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Broken snort rule James Lay (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Re: Broken snort rule Brian Caswell (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Re: Broken snort rule Matt Olney (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Message not available
- Re: Broken snort rule Matt Olney (Oct 07)
- Re: Broken snort rule Matt Olney (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Message not available
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Re: Broken snort rule Brian Caswell (Oct 07)
- Re: Broken snort rule Markus Lude (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)