[Snort-sigs] bad rule

Gentoo-Wally gentoowally at ...2420...
Mon Jul 31 10:22:28 EDT 2006


odd. I didn't actually see snort throw an error. I use a script to
import the sigs into a db. My script crapped out on that syntax. Since
that had never happend before, and I've never seen that syntax I
thought it was a syntax error.

Wally


On 7/30/06, Justin Heath <justin.heath at ...2420...> wrote:
> Wally,
>
> This syntax is allowed. Was snort complaining about the rule? If so,
> what was the error and what version are you running?
>
> Thanks,
> Justin  Heath
>
> On 7/28/06, Gentoo-Wally <gentoowally at ...2420...> wrote:
> > Just updated my community set and the following rule has a syntax error...
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> > (msg:"COMMUNITY WEB-PHP Horde index.php show XSS attempt";
> > flow:established,to_server; uricontent:"/services/help/index.php";
> > nocase:; uricontent:"show="; nocase:; uricontent:"URL=javascript";
> > nocase:; reference:bugtraq,18845; classtype:web-application-attack;
> > sid:100000703; rev:1;)
> >
> > Should be....
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> > (msg:"COMMUNITY WEB-PHP Horde index.php show XSS attempt";
> > flow:established,to_server; uricontent:"/services/help/index.php";
> > nocase; uricontent:"show="; nocase; uricontent:"URL=javascript";
> > nocase; reference:bugtraq,18845; classtype:web-application-attack;
> > sid:100000703; rev:1;)
> >
> > changed the three nocase:; to nocase;
> >
> > wally
> >
> > -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share your
> > opinions on IT & business topics through brief surveys -- and earn cash
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>




More information about the Snort-sigs mailing list