[Snort-devel] Two bugs in rule parser

Erik de Castro Lopo erikd+snort at ...2292...
Mon May 2 22:48:33 EDT 2005


HI all,

I've been looking at the current bleedingsnort.com rule set and
found a couple of rules for which the parser should have been
complaining about a syntax error but didn't.

The first was of the form (note the lack of a semicolone before
nocase):

    content:"foo" nocase;

I haven't looked at the code, but I suspect that in this case
the nocase modifier is simply ignored.

The second problem was that the parser accepted illegal escape 
sequences, in this case:

     content:"www\.whatever\.com";



More information about the Snort-devel mailing list