Snort mailing list archives
Re: rule parser and escaped characters
From: Brian <bmc () snort org>
Date: Mon, 3 Mar 2003 14:30:41 -0500
On Sat, Mar 01, 2003 at 03:16:05PM -0500, Chris Clark wrote:
";:|\ are the mandatory ones. If \ preceeds a character other than this, the \ should be ignored. I will update the documentation.Thanks, that rule makes sense. However, I found a some exceptions that use \r and \n which should be replaced with |0d| and |0a| rather than ignoring the \ characters. alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media audio download"; flags:A+; content:"Content-type\: audio/x-ms-wma\r\n"; classtype:policy-violation; sid:1437; rev:2;)
Yeah, these rules need updating. Look for them in my next round of updates. -b ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rule parser and escaped characters Chris Clark (Feb 25)
- Re: rule parser and escaped characters Chris Green (Feb 25)
- RE: rule parser and escaped characters Chris Clark (Mar 01)
- Re: rule parser and escaped characters Brian (Mar 03)
- RE: rule parser and escaped characters Chris Clark (Mar 01)
- Re: rule parser and escaped characters Chris Green (Feb 25)