Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: rule parser and escaped characters

From: "Chris Clark" <cclark () ece gatech edu>
Date: Sat, 1 Mar 2003 15:16:05 -0500


";:|\ are the mandatory ones.  If \ preceeds a character other than
this, the \ should be ignored.  I will update the documentation. 


Thanks, that rule makes sense. However, I found a some exceptions that
use \r and \n which should be replaced with |0d| and |0a| rather than
ignoring the \ characters.

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any 
(msg:"MULTIMEDIA Windows Media audio download"; flags:A+;
content:"Content-type\: audio/x-ms-wma\r\n";
classtype:policy-violation; sid:1437;  rev:2;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any 
(msg:"MULTIMEDIA Windows Media Video download"; flags:A+;
content:"Content-type\: video/x-ms-asf\r\n"; 
classtype:policy-violation; sid:1438;  rev:2;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any 
(msg:"MULTIMEDIA Shoutcast playlist redirection"; flags:A+;
content:"Content-type\: audio/x-scpls\r\n"; 
classtype:policy-violation; sid:1439;  rev:2;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any 
(msg:"MULTIMEDIA Icecast playlist redirection"; flags:A+;
content:"Content-type\: audio/x-mpegurl\r\n"; 
classtype:policy-violation; sid:1440;  rev:2;)



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: