Re: Bug in 2.8.4.1?

[Steven Sturges <steve.sturges () sourcefire com>]

While this is a subtle sytax error, the reason it is
not specifically noted with the -T is a conscious one.

When reading a conf and parsing with -T, Snort allow for
Rules to not have SIDs specified, to check the validity of
the rule's detection options (contents, byte_test, pcre, etc).

That requirement is enforced when the -T is not present with
more recent versions of Snort that require all rules must
have a unique SID.  Earlier versions allow this.

To maintain backwards compatibility with 'Test Mode', Snort
allows this with the -T, but generates a run-time error
without it.

Cheers.
-steve

mex wrote:
> hi,
>
> i was playing around with snort 2.8.4.1 and 
> discovered (probably) a bug:
>
> when misspelling a rule like the following
> (watch the missing ; after the reference)  
>
> alert .... ( ... reference,url:www.some.url sid:12345678;)
>
> the command snort -T -c /etc/snort/snort.conf did not
> show any errors, while startings snort via init-script
> (that calls  /usr/sbin/snort -D -c /etc/snort/snort.conf)
> lead to a non-starting snort, due to this error.
>
>
> mex


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel