Snort stops and can't restart when using custom rules



  • Hello,

    I am trying to setup snort on my WAN interface. everything worked fine until i tried to use custom rules.

    I want to detect some SQL injections, i defined the rule as follows :

    alert tcp any any -> any 80 (msg: "SQLi detected"; content: "OR"; classtype: attempted-recon;)

    Obviously this is a poorly defined rule because the content filter is not fine tuned at all, but i wanted to see if it worked first.

    The issue is that after saving this custom rule, snort stops and cannot restart on the interface. Initially i did not use the classtype keyword in my custom rule and read that it could cause this issue, but the issue persists after including the classtype in my rule.

    Thank you in advance for your help.



  • Take a look in the system log and see what error message, if any, that Snort is posting when attempting to start up.



  • Apparently a correct sid was also necessary for the rule to work. I am having trouble finding documentation on which sid are taken for pre-defined rules and which sid are free to use for custom rules though.

    In my case i got it to work with sid 203 (which i picked randomly).



  • Yeah, I didn't notice the SID was missing from the rule. Every rule must have a unique SID and a GID. For custom user rules, the GID is always 1. The general consensus is to start custom user rule SIDs at the 2000000 mark or so. You just can never ever have a duplicate SID!

    There are several resources to be found on Google for writing your own Snort rules.



  • Yes, thank you for the best practice on what SID to use for custom rules, This was the information that was missing from the resources available online ( Although i did not look thoroughly so i might have just missed it ).

    In any case this is resolved.

    Thank you.