Snort mailing list archives
Re: Are commas allowed in signature descriptions?
From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 9 Dec 2010 11:07:38 -0500
OK, OK - to clarify, Snort itself allows a comma in the msg string; that's a valid point about other tools. On Wed, Dec 8, 2010 at 8:58 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 12/8/2010 09:10, Alex Kirk wrote:Yes, you can put commas into a rule msg string. You cannot, however, put semicolons in that field, which should make for a reasonable delimiter.actually not... the "MSG:blah blah blah" section is one of the most troublesome areas in snort/IDS rules... why? because there are many tools out there that parse the MSG text in CSV format and a comma in them causes all kinds of problems... witness the emerging threats rules and how they (have to) take extra care to not put commas in the MSG text area of snort/IDS rules... one specific example is "eval(function(p,a,c,k,e,d)" which is a javascript thing... if i understand javascript properly, this denotes 6 functions with the single character names of p, a, c, k, e, and d... but i may be incorrect on this... however, those commas in the MSG text do cause all kinda of problems and are best left out of that text string ;)On Wed, Dec 8, 2010 at 7:54 AM, Paul Halliday <paul.halliday () gmail com <mailto:paul.halliday () gmail com>> wrote: I have an input box where you will be able to put multiple signature names prior to a query. What is the safest delimiter? Thanks.------------------------------------------------------------------------------What happens now with your Lotus Notes apps - do you make anothercostlyupgrade, or settle for being marooned without product support? Timeto moveoff Lotus Notes and onto the cloud with Force.com, apps are easier tobuild,use, and manage than apps on traditional platforms. Sign up for theLotusNotes Migration Kit to learn more.http://p.sf.net/sfu/salesforce-d2d_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com <mailto:alex.kirk () sourcefire com>------------------------------------------------------------------------------What happens now with your Lotus Notes apps - do you make another costly upgrade, or settle for being marooned without product support? Time tomoveoff Lotus Notes and onto the cloud with Force.com, apps are easier tobuild,use, and manage than apps on traditional platforms. Sign up for the Lotus Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF Dev2Dev email is sponsored by: WikiLeaks The End of the Free Internet http://p.sf.net/sfu/therealnews-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Are commas allowed in signature descriptions? Paul Halliday (Dec 08)
- Re: Are commas allowed in signature descriptions? Alex Kirk (Dec 08)
- Re: Are commas allowed in signature descriptions? waldo kitty (Dec 08)
- Re: Are commas allowed in signature descriptions? Alex Kirk (Dec 09)
- Re: Are commas allowed in signature descriptions? Matthew Jonkman (Dec 17)
- Re: Are commas allowed in signature descriptions? waldo kitty (Dec 08)
- Re: Are commas allowed in signature descriptions? Alex Kirk (Dec 08)