[Snort-sigs] receiving an error msg on a signature

Brian bmc at ...95...
Tue Feb 4 17:05:32 EST 2003


On Tue, Feb 04, 2003 at 07:25:00PM -0500, nick nelson wrote:
> alert tcp $EXTERNAL_NET 6660:7000 -> $HOME_NET any (msg:"Incoming 
> XDCC Send Request Detected"; flow:to_server,established; content:" 
> :^AXDCC *[Ss][Ee][Nn][Dd] *#[0-9]" ; nocase; offset:0; classtype:misc-
> activity;)

A few things.

* snort doesn't support the regex like you are using.  This isn't
  netranger.
* you need to escape the : inside the content.

-brian




More information about the Snort-sigs mailing list