Snort mailing list archives
Re: Are commas allowed in signature descriptions?
From: Matthew Jonkman <jonkman () jonkmans com>
Date: Thu, 9 Dec 2010 11:23:51 -0500
We are officially avoiding commas in msg file now at et and Et pro. I believe we have them all edited as of a few weeks ago. Also avoiding dashes and parenthesis in there, but I doubt we have those all cleaned out yet. ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- On Dec 9, 2010, at 11:07 AM, Alex Kirk <akirk () sourcefire com> wrote:
OK, OK - to clarify, Snort itself allows a comma in the msg string; that's a valid point about other tools. On Wed, Dec 8, 2010 at 8:58 PM, waldo kitty <wkitty42 () windstream net> wrote: On 12/8/2010 09:10, Alex Kirk wrote:Yes, you can put commas into a rule msg string. You cannot, however, put semicolons in that field, which should make for a reasonable delimiter.actually not... the "MSG:blah blah blah" section is one of the most troublesome areas in snort/IDS rules... why? because there are many tools out there that parse the MSG text in CSV format and a comma in them causes all kinds of problems... witness the emerging threats rules and how they (have to) take extra care to not put commas in the MSG text area of snort/IDS rules... one specific example is "eval(function(p,a,c,k,e,d)" which is a javascript thing... if i understand javascript properly, this denotes 6 functions with the single character names of p, a, c, k, e, and d... but i may be incorrect on this... however, those commas in the MSG text do cause all kinda of problems and are best left out of that text string ;)On Wed, Dec 8, 2010 at 7:54 AM, Paul Halliday <paul.halliday () gmail com <mailto:paul.halliday () gmail com>> wrote: I have an input box where you will be able to put multiple signature names prior to a query. What is the safest delimiter? Thanks. ------------------------------------------------------------------------------ What happens now with your Lotus Notes apps - do you make another costly upgrade, or settle for being marooned without product support? Time to move off Lotus Notes and onto the cloud with Force.com, apps are easier to build, use, and manage than apps on traditional platforms. Sign up for the Lotus Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com <mailto:alex.kirk () sourcefire com> ------------------------------------------------------------------------------ What happens now with your Lotus Notes apps - do you make another costly upgrade, or settle for being marooned without product support? Time to move off Lotus Notes and onto the cloud with Force.com, apps are easier to build, use, and manage than apps on traditional platforms. Sign up for the Lotus Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF Dev2Dev email is sponsored by: WikiLeaks The End of the Free Internet http://p.sf.net/sfu/therealnews-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Are commas allowed in signature descriptions? Paul Halliday (Dec 08)
- Re: Are commas allowed in signature descriptions? Alex Kirk (Dec 08)
- Re: Are commas allowed in signature descriptions? waldo kitty (Dec 08)
- Re: Are commas allowed in signature descriptions? Alex Kirk (Dec 09)
- Re: Are commas allowed in signature descriptions? Matthew Jonkman (Dec 17)
- Re: Are commas allowed in signature descriptions? waldo kitty (Dec 08)
- Re: Are commas allowed in signature descriptions? Alex Kirk (Dec 08)