Snort Validator

Overview

SnortValidator is a tool that analyzes snort rules and searches for certain syntactic and semantic errors. It aims to supplement Snort itself, which has a very weak error checking at some points. Hence, SnortValidator detects many things that Snort will silently accept, but that will for sure not work. Additionally, it detects some common semantic problems that indicate wrong usage of keywords that will certainly not do what you actually intended.

What is checked?

The following list is an excerpt of what SnortValidator checks:

  • Most basic syntactic skeleton of a rule
  • IP addresses, Ports, Ranges, Directions, Protocols, Actions
  • Duplicate SID checking, References, Classtypes
  • Basic syntactic validity of all keywords (using regular expressions and more complex logic where required)
  • Semantic checks for a subset of keywords, including context sensitivity (flow, within, depth, rawbytes, byte tests, etc...)
  • PCRE expression checker

Installation

SnortValidator is entirely written in perl, and only has a small number of CPAN dependencies (apart from standard modules):

  • Parse::Snort (This module splits a snort rule into it's basic parts, saves me writing a low level parser)
  • Net::IP and Net::CIDR (Used for IP checks)

The code can be checked out from our SVN using

        svn checkout https://svn.own-hero.net/sysadmin/snortvalidator

Contribute

If you find a rule example, that Snort accepts but that is either wrong, ambiguous or likely to do something else than intended, please send me an example to decoder@own-hero.net. The same in general also holds for errors that Snort actually detects, but only if the effort required to detect it statically is comparative. Remember that SnortValidator is not meant to replace Snort's checks in general.

Topic revision: r2 - 2009-08-06 - ChristianHoller
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats