[Snort-users] New Vision Rule Problems

Brent Erickson erickson at ...239...
Fri Aug 18 16:37:00 EDT 2000


Snort does not seem to like the following new vision rule:


alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS305/web-IIS view source via Translate header"; content: "Translate: F"; nocase; flags: AP;)

If I do not comment out the rule, Snort says there is a content quotation missing.

Since I am just a beginner with Snort rules, I am not exactly sure what is missing or out of place.

Maybe it is the : after Translate. Because the quotes are indeed there.

Brent Erickson

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000818/0227160e/attachment.html>


More information about the Snort-users mailing list