Snort mailing list archives
Re: Problem with a rule
From: Andreas Östling <andreaso () it su se>
Date: Wed, 10 Apr 2002 20:11:41 +0200 (CEST)
On Wed, 10 Apr 2002, Tom Fischer wrote:
I've made a rule: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Browser compromised .exe start"; flags:A+;content:"<classid=\"clsid:\"";content:".exe";nocase; classtype:browser-compromising;) and a classification config classification: browser-compromising;suspicous traffic - browser manipulating,1 the classification is ok. But with the rule snort breaks with Segmentation fault. So what is wrong? Tried that on two different machines.
From http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.9: Also note that the following characters must be escaped inside a content rule: " : | I.e. you need to escape your : so it becomes content:"<classid=\"clsid\:\""; and it shouldn't segfault. Regards, Andreas Östling _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with a rule Tom Fischer (Apr 10)
- Re: Problem with a rule Andreas Östling (Apr 10)