Snort mailing list archives

Re: Problem with a rule

From: Andreas Östling <andreaso () it su se>
Date: Wed, 10 Apr 2002 20:11:41 +0200 (CEST)

On Wed, 10 Apr 2002, Tom Fischer wrote:

I've made a rule:

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Browser compromised
.exe start";
flags:A+;content:"<classid=\"clsid:\"";content:".exe";nocase;
classtype:browser-compromising;)

and a classification

config classification: browser-compromising;suspicous traffic - browser
manipulating,1

the classification is ok. But with the rule snort breaks with
Segmentation fault. So what is wrong? Tried that on two different machines.


From http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.9:
Also note that the following characters must be escaped inside a content
rule:  " : |

I.e. you need to escape your : so it becomes
content:"<classid=\"clsid\:\""; and it shouldn't segfault.

Regards,
Andreas Östling


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problem with a rule Tom Fischer (Apr 10)
- Re: Problem with a rule Andreas Östling (Apr 10)