is a tool that analyzes snort rules and searches for certain syntactic and semantic errors. It aims to supplement Snort itself, which has a very weak error checking at some points. Hence, SnortValidator
detects many things that Snort will silently accept, but that will for sure not work. Additionally, it detects some common semantic problems that indicate wrong usage of keywords that will certainly not do what you actually intended.
What is checked?
The following list is an excerpt
of what SnortValidator
- Most basic syntactic skeleton of a rule
- IP addresses, Ports, Ranges, Directions, Protocols, Actions
- Duplicate SID checking, References, Classtypes
- Basic syntactic validity of all keywords (using regular expressions and more complex logic where required)
- Semantic checks for a subset of keywords, including context sensitivity (flow, within, depth, rawbytes, byte tests, etc...)
- PCRE expression checker
is entirely written in perl, and only has a small number of CPAN dependencies (apart from standard modules):
- Parse::Snort (This module splits a snort rule into it's basic parts, saves me writing a low level parser)
- Net::IP and Net::CIDR (Used for IP checks)
The code can be checked out from our SVN using
svn checkout https://svn.own-hero.net/sysadmin/snortvalidator
If you find a rule example, that Snort accepts but that is either wrong, ambiguous or likely to do something else than intended, please send me an example to firstname.lastname@example.org.
The same in general also holds for errors that Snort actually detects, but only if the effort required to detect it statically is comparative. Remember that SnortValidator
is not meant to replace Snort's checks in general.