Snort mailing list archives
Re: Snort++ Escaping characters in signature content
From: Russ <rucombs () cisco com>
Date: Tue, 24 Jan 2017 12:03:04 -0500
Thanks - we will get that fixed. On 1/24/17 10:54 AM, secres () linuxmail org wrote:
It was brought to my attention today that Snort++ seems to have a issue with escaping " characters in content rules. For instance, take the below signature that looks for ":\. If put through Snort++ 3.0.0-a4-222 you'll get a few errors. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Testing Escape Characters"; content:"Look for \" and \; and \' and \\"; sid:11111; rev:1;)o")~ Snort++ 3.0.0-a4-222 ... ERROR: /opt/snort3/etc/snort/error.rules:1 invalid byte code at 13ERROR: /opt/snort3/etc/snort/error.rules:1 fast_pattern_offset must be less than the actual pattern length which is 0.ERROR: /opt/snort3/etc/snort/error.rules:1 can't finalize contentBut if you replace \" with byte code |22| it works just fine. I also tested this siganture in 2.9.8 and either one works. I typically don't have an issue with it because I always use |22| but since I've seen other signatures that use \" instead of the byte code is there a fix for this? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Testing Escape Characters"; content:"Look for |22| and \; and \' and \\"; sid:11111; rev:1;)o")~ Snort++ 3.0.0-a4-222 ... Snort successfully validated the configuration. o")~ Snort exiting --== Initializing Snort ==-- ... Version 2.9.8.2 GRE (Build 335) ... Snort successfully validated the configuration! Snort exiting Hope this helps anyone with the same issue. Thanks! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort++ Escaping characters in signature content secres (Jan 24)
- Re: Snort++ Escaping characters in signature content Russ (Jan 24)
- <Possible follow-ups>
- Snort++ Escaping characters in signature content secres (Jan 24)