Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Content "c:"

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Tue, 19 Jun 2001 17:25:05 -0400
I'm not using a "\" (backslash). I am strictly searching for a letter
followed by a colon.

I will give Jim's advice a try. Thanks!


-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Tuesday, June 19, 2001 4:28 PM
To: Sheahan, Paul (PCLN-NW)
Cc: Snort List (E-mail)
Subject: Re: [Snort-users] Content "c:"


On Tue, 19 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:



I'm trying to create a rule that searches for content of "c:" in packets.
But Snort complains that a closing quote is needed. In a prior posting I

had

asked about "c:\" and someone mentioned the backslash was a problem. Even
without the backslash this still fails. Ths is the latest test rule I

tried:


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content:
"c:"; nocase;)

Snort complains that content needs an ending quote. Apparently the colon
after the "c" is what is messing this up. Does anyone know how to make a
content rule with "c:" or any drive letter as the content?


Paul,

        Have a look at the attached message.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: