File magic rules for 2.9.6, what options are required?

[Joshua Kinard <kumba () gentoo org>]

Doing a quick glance at the new file magic "rules" that one can specify in
2.9.6 RC, I am not directly seeing a definition of which of the options are
required and which aren't.

So far, it looks like I can write this:
    file type:FOO;

And ~/bin/snort -c local.rules -T parses w/o error.

Logically, my guess is that the following option keywords are going to be
required for a 'file' definition to work correctly:
    type
    id
    msg
    content

With these being optional:
    ver
    category
    group (required only if >1 definition of 'type')
    offset (assumed 0 if not specified)
    rev (assumed 1 if not specified)

Does this sound about right?


Also, doc/README.file, there's two minor errors on lines 241 and 243.  First
is the use of "smart quotes" on the 'msg' keyword and 'sid' instead of 'id'.
 Someone wrote part of this in MS Office, didn't they? :)

--J

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!