Snort mailing list archives
Re: Broken snort rule
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 07 Oct 2008 09:11:12 -0500
--On Tuesday, October 07, 2008 08:06:49 -0500 James Lay <jlay () slave-tothe-box net> wrote:
FYISubject: Oct 7 06:30:58 gateway snort[21619]: FATAL ERROR: /chroot/snort/etc/snort/rules/emerging-compromised.rules(119) => Empty IP used either as source IP or as destination IP in a rule. IP list: [].alert ip [] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or/ Hostile Host Traffic (76)";/ reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts;/ threshold: type limit, track by_src, seconds 60, count 1;/ classtype:misc-attack; sid:2500075; rev:1292;)
Hardly anyone has better error messages than snort. (Thanks, Marty.) The error message is telling you *exactly* what is wrong, viz. "Empty IP used either as source IP or as destination IP in a rule. IP list: []." The rule reads alert ip ***[]***. The IP list is empty, just as the error message states. The basic format of a snort rule is: action (alert,activate,log,pass,dynamic,drop,reject,sdrop) protocol (ip,tcp,udp,icmp) source ip source port direction of flow destination ip destination port rule particulars (msg,content,classtype,sid,rev, etc.) In this case, the source ip is [], which is an empty IP list. IP lists are generally enclosed in brackets thus: [192.168.0.1/24,192.168.0.2/24]. I would recommend commenting the rule out. It's basically worthless anyway. It will create one alert per second for *any* traffic that passes snort. It looks like a test rule to confirm that snort is seeing traffic. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* Check the headers before clicking on Reply. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Broken snort rule, (continued)
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Re: Broken snort rule Brian Caswell (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Re: Broken snort rule Matt Olney (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Message not available
- Re: Broken snort rule Matt Olney (Oct 07)
- Re: Broken snort rule Matt Olney (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Message not available
- Re: Broken snort rule Matt Jonkman (Oct 07)
- Re: Broken snort rule Brian Caswell (Oct 07)
- Re: Broken snort rule Markus Lude (Oct 07)
- Re: Broken snort rule Matt Jonkman (Oct 07)