[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] typo in 2008396
From:       decoder-et () own-hero ! net (Chris)
Date:       2009-02-28 21:19:32
Message-ID: 49A9AA64.90606 () own-hero ! net
[Download RAW message or body]

Matt Jonkman wrote:
> Brian Caswell pointed us to a perl module designed to parse the rules
> for errors. (I can't find the link to it at the moment, anyone have that
> handy?)
>
>   
I guess you mean Parse::Snort? 
(http://search.cpan.org/~rharman/Parse-Snort-0.01/lib/Parse/Snort.pm)

I tested this module and it seems suitable for parsing, however, it does 
not seem to do error checking.
I've tested with bogus actions, arguments to functions that shouldn't 
have arguments (like nocase:"blah";)
and even omitting the rule direction does not make the parser fail. It 
always returns "something", which we
would have to check for consistency. So it's still some work even with 
the module, but I'll see what I can do :)


Chris

[prev in list] [next in list] [prev in thread] [next in thread]