Rule parsing fails if last option doesn't close with semi-colon

[KimiNewt]

Rule that end their last option without a semi-colon fail parsing, while snort accepts them. e.g.

Exception: end of option not found: alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"NF - LOCAL Large DNS TCP response - possible CVE-2015-7547 attempt"; flow:to_client,established; byte_test: 1,&,128,4; byte_test:2,>,2000,0; flowbits: set,large_dns_resp; flowbits: noalert; reference:url,seclists.org/snort/2016/q1/285; reference:url,networkforensic.dk; metadata:22022016; classtype:misc-activity; sid:5019401; rev:1)

This happens in rule.py's find_opt_end(), since it only looks for a semi-colon. A simple solution seems to also search for an ending parenthesis in case a semi-colon isn't found, but I'm ot sure if this could result in unexpected behaviour.

[jasonish]

I wrote this tool more for Suricata than Snort, and Suricata does not accept such a rule. I'm a little hesitant to make this change as I don't use this code myself anymore, but others do depend on it.

A quick look at pulledpork3 source code and it looks like it wouldn't accept this rule either, at least not with rev at the end.