pulledpork and colon within in msg-text

[Claus Regelmann <rgc () rgc1 inka de>]

Hello,

pulledpork also generates a file 'sid-msg.map' that maps the sid of a rule to its msg-text.
And other programs, e.g. barnyard2, rely on this file.

If the msg-text of a rule contains a colon, the corresponding text in sid-msg.map is truncated just before the colon.
Is ':' a forbidden character in the 'quoted' message text? I never read about, and snort never complained about.

My perl know how is very low, but i think the 'split' in the marked line below causes the problem.
---8<-- pulledpork.pl -->8---
...
             my @optarray = split( /(?<!\\);\s*/, $options ) if $options;
             foreach my $option ( reverse(@optarray) ) {
> > > > > > > > > > >     my ( $kw, $arg ) = split( /:\s*/, $option ) if $option; <<<<<<<<<<<<
                my $gid = $k;
                $gid = 1 if $k == 0;
...
---8<------------------->8---
This ':'-split on the rule's text is to simple. It ignores the quotes around the 'msg:' part.

Is there a friendly perl specialist to fix the problem ??

Regards
Claus








------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!