Snort mailing list archives
Re: Trouble with home-made rule
From: Dragos Ruiu <dr () kyx net>
Date: Sun, 17 Jun 2001 23:30:35 +0000
This is a kind of esoteric problem that is likely to bite people who are new to C or unfamiliar with C strings. We ought to put a quick little check for backslashes and a warning message in the parser to make this easier to figure out in the future... I'll send you a patch Marty... I've also been meaning to make the port #'s optional for ICMP rules too rather than having to put in bogus values... cheers, --dr On Sunday 17 June 2001 23:14, Dragos Ruiu wrote:
Your problem is with the backslash before the quote.... \" is how you escape a quote inside the content string so it looks like an unterminated string to the parser. try: "C:\\" and remember to add another rule for lowercase: "c:\\" the slash in the message string may be a problem too. I'd double it up just to make sure.... cheers, --dr On Monday 18 June 2001 05:51, Sheahan, Paul (PCLN-NW) wrote:Hello, I'm expermenting for the first time creating my own rules. I decided to create a rule that detects whenever one of my servers responds to an external address with "C:\" in the packet in case my servers are giving out any info on the local drive without my knowledge. I added this rule: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:\"; content: "c:\"; nocase;) And received this error when starting Snort (the rule above is on line 16): ERROR Line 16 => Content data needs to be enclosed in quotation marks (")! Obviously the closed quotation is there. I thought maybe the ":" in "C:\" is confusing Snort? Just a guess. Anyone know how I can fix this? Thanks! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Trouble with home-made rule Sheahan, Paul (PCLN-NW) (Jun 17)
- Re: Trouble with home-made rule Dragos Ruiu (Jun 17)
- Re: Trouble with home-made rule Brian Caswell (Jun 17)
- Re: Trouble with home-made rule Dragos Ruiu (Jun 17)
- Re: Trouble with home-made rule Dragos Ruiu (Jun 17)
- Re: Trouble with home-made rule Brian Caswell (Jun 17)
- Re: Trouble with home-made rule Dragos Ruiu (Jun 17)