[Snort-sigs] Snort++ Escaping characters in signature content

Russ rucombs at ...3865...
Tue Jan 24 12:03:04 EST 2017


Thanks - we will get that fixed.

On 1/24/17 10:54 AM, secres at ...2984... wrote:
> It was brought to my attention today that Snort++ seems to have a 
> issue with escaping " characters in content rules.  For instance, take 
> the below signature that looks for ":\.  If put through Snort++ 
> 3.0.0-a4-222 you'll get a few errors.
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Testing 
> Escape Characters"; content:"Look for \" and \; and \' and \\"; 
> sid:11111; rev:1;)
> o")~   Snort++ 3.0.0-a4-222
> ...
> ERROR: /opt/snort3/etc/snort/error.rules:1 invalid byte code at 13
> ERROR: /opt/snort3/etc/snort/error.rules:1 fast_pattern_offset must be 
> less than the actual pattern length which is 0.
> ERROR: /opt/snort3/etc/snort/error.rules:1 can't finalize content
> But if you replace \" with byte code |22| it works just fine.  I also 
> tested this siganture in 2.9.8 and either one works.  I typically 
> don't have an issue with it because I always use |22| but since I've 
> seen other signatures that use \" instead of the byte code is there a 
> fix for this?
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Testing 
> Escape Characters"; content:"Look for |22| and \; and \' and \\"; 
> sid:11111; rev:1;)
> o")~   Snort++ 3.0.0-a4-222
> ...
> Snort successfully validated the configuration.
> o")~   Snort exiting
>         --== Initializing Snort ==--
> ...
> Version 2.9.8.2 GRE (Build 335)
> ...
> Snort successfully validated the configuration!
> Snort exiting
> Hope this helps anyone with the same issue.
> Thanks!
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170124/9c2ab56e/attachment.html>


More information about the Snort-sigs mailing list