Snort mailing list archives
"Valid hex values only please!" error
From: Peter Bates <peter.bates () ucl ac uk>
Date: Mon, 23 Jan 2012 10:56:18 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all We have some rules loaded into Snort which are automatically generated from output from Zeustracker. I arrived in this morning to find that when my Snort had restarted in the night (to pick up the new rules) it threw this error: ERROR: /etc/snort/rules/zeus.rules(17) What is this "i"(0x69) doing in your binary buffer? Valid hex values only please! (0x0 - 0xF) Position: 18 Fatal Error, Quitting.. The rule in question: alert tcp any any -> any any (content:"GET /xml.php?q=1|file=qwe.bin "; content:"Host: 184.22.248.194"; msg:"CST ZeuS GET /xml.php?q=1|file=qwe.bin 184.22.248.194 c83b01bed237e1196c7ab5676f49f853"; gid:1; sid:3100016; rev:1;) I presume the error is generated from the pipe in the content field - can anyone explain what the rule should look like? Thanks. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPHTzSAAoJELhVoVpEMS6RL/sH/2FcgPVgL9MAtR689+Bt5D94 B1DAT6BHJSyldC/QnFU8YLi+EdTzIpvSDidsWiJGhVuG8QVGPNouC04XQbhvnrjA Q2ZQs/87zvaYZxHE3/Bh2LjFlZOVOX/e5KxrqeG6T5CMShH5G1Td1ZmEcBl1puY6 2ER+fn+pZXh6OjB6l2/9iXIbU38QweqewLa0xhDAfFnbKlWV0uM8AAIHfG4un9fU EW71fsNRb8p4t6rejSsbWpEjZpe/qOEeDq7nIO1jGcAriPuP51hQzk38Y5Zpb9Bf rfKtwFZPdCtBWc4/El6jDS9cofFgOqipjWTVJE8/tD4fDxQ6lfX0riKBGk3GRaA= =xnvl -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- "Valid hex values only please!" error Peter Bates (Jan 23)
- Message not available
- Re: "Valid hex values only please!" error Peter Bates (Jan 23)
- Message not available