To escape or not to escape the colon

[Julian Wiegmann <julian.wiegmann () db com>]

Classification: Public

As per manual:

http://manual.snort.org/node32.html#SECTION00451000000000000000

; \ "   aka the semi-colon has to be escaped when content matching.   (by what? The manual should say that it is a 
backslash)

For example:

content: "string\; string2";

However, I have seen some rules where the colon is also escaped:

content: "string\: string2";

but in the same rule I seen a colon that is not escaped also:

content:"Accept: */*|0d0a0d0a|";

Should we or should we not escape a colon?

Or should I just bite the bullet and use hex?

content:"Accept|3A| */*|0d0a0d0a|";



Kind regards,
  Julian Wiegmann
_________________________________________________


---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have 
received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, 
disclosure or distribution of the material in this e-mail is strictly forbidden.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!