Snort mailing list archives
Re: Help with a rule
From: Markus Lude <markus.lude () gmx de>
Date: Fri, 6 Mar 2009 20:31:05 +0100
On Fri, Mar 06, 2009 at 12:22:42PM -0600, Luis Daniel Lucio Quiroz wrote:
Thx However I apply the rule: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"text mime type detected in web traffic"; flow:established,from_server; content:"Content-Type |3A| text/"; nocase;?sid:1000001; rev:1; \
^
classtype:web-application-activity;) I got ERROR: Warning: rules/local.rules(10) => Unknown keyword '?sid' in rule! Fatal Error, Quitting.. What I missing? regards, LD
Look at your rule, there is no keyword "?sid". It should be "sid"; Regards, Markus ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Joel Esler (Mar 05)
- Re: Help with a rule Paul Schmehl (Mar 05)
- Re: Help with a rule Frank Knobbe (Mar 05)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Alex Kirk (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Message not available
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Markus Lude (Mar 06)
- Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
- Re: Help with a rule Frank Knobbe (Mar 05)