[Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'.
Frank Knobbe
frank at snortsam.net
Fri Oct 9 23:18:48 EDT 2009
On Fri, 2009-10-09 at 20:44 -0500, Luis Daniel Lucio Quiroz wrote:
> I guess this is a bad option. Patch did has:
> RegisterPlugin("fwsam", AlertFWsamOptionInit, NULL, OPT_TYPE_ACTION);
> and it was update to
> RegisterOutputPlugin("alert_fwsam", OUTPUT_TYPE_FLAG__ALERT, AlertFWsamInit);
> RegisterOutputPlugin("fwsam", OUTPUT_TYPE_FLAG__ALERT, AlertFWsamOptionInit);
Luis,
I just looked at the code. The old patch had:
RegisterOutputPlugin("alert_fwsam", NT_OUTPUT_ALERT, AlertFWsamInit);
(registers the output plugin)
RegisterPlugin("fwsam", AlertFWsamOptionInit);
(registers the fwsam rule option)
Your patch included
RegisterOutputPlugin("alert_fwsam", OUTPUT_TYPE_FLAG__ALERT,
AlertFWsamInit);
(registers the output plugin, which seems to work)
RegisterOutputPlugin("fwsam", OUTPUT_TYPE_FLAG__ALERT,
AlertFWsamOptionInit);
(which is supposed to register the "fwsam" option, but apparently does
not.)
You seem to call the same registration with the same TYPE variable, when
in fact these are not the same. If you can find out how to registers a
rule option, that's what the second line is supposed to. Take a look at
some preprocessors, like http_inspect, which should register any special
rule options (like httpheader). That's how "fwsam" should be registered.
Hope that helps,
Frank
More information about the Snortsam-discussion
mailing list