Thursday, December 23, 2010

Snort 2.9.0.3 and error checking

As you may have seen by now for the last several posts we've been talking about the new error checking in Snort 2.9.0.3. This corrects a long known issue with custom rules implementing incorrect distance with no prior content check, or within against an offset and various other incorrect combinations.

I've received a lot of emails since we put out 2.9.0.3 complaining that Snort won't start.

My suggestion is that you start Snort with the -T command line tag instead of -D at first.

-T starts Snort in test mode. "Test mode" will tell you about any errors in your rules and will not be able to fully complete it's startup test unless everything checks out (including these new checks).

If you maintain a local.rules file or if you receive rules from a secondary repository (other than VRT's feed) you'll want to start your new version of Snort in -T mode and correct any errors. (By the way, I'm not picking on any particular external ruleset out there, there are several external rulesets that we know of, and this goes for all of them.)