Snort mailing list archives

Re: Help with a rule

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio () gmail com>
Date: Fri, 6 Mar 2009 15:25:38 -0600

You were right,

there was a invisible character.

On Friday 06 March 2009 13:31:05 Markus Lude wrote:

On Fri, Mar 06, 2009 at 12:22:42PM -0600, Luis Daniel Lucio Quiroz wrote:

Thx

However I apply the rule:

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"text mime type
detected in web traffic"; flow:established,from_server;
content:"Content-Type

|3A| text/"; nocase;?sid:1000001; rev:1; \

 classtype:web-application-activity;)

I got

ERROR: Warning: rules/local.rules(10) => Unknown keyword '?sid' in rule!
Fatal Error, Quitting..


What I missing?  regards,

LD


Look at your rule, there is no keyword "?sid". It should be "sid";

Regards,
Markus


---------------------------------------------------------------------------
--- Open Source Business Conference (OSBC), March 24-25, 2009, San
Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing
the Enterprise -Strategies to boost innovation and cut costs with open
source participation -Receive a $600 discount off the registration fee with
the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
- Re: Help with a rule Joel Esler (Mar 05)
- Re: Help with a rule Paul Schmehl (Mar 05)
  - Re: Help with a rule Frank Knobbe (Mar 05)
    - Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 05)
    - Re: Help with a rule Alex Kirk (Mar 06)
    - Re: Help with a rule Frank Knobbe (Mar 06)
    - Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
    - Message not available
    - Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)
    - Re: Help with a rule Markus Lude (Mar 06)
    - Re: Help with a rule Luis Daniel Lucio Quiroz (Mar 06)