[Snort-users] New Vision Rule Problems

Sean C Doherty seand at ...232...
Fri Aug 18 17:22:07 EDT 2000


I have encountered the exact same problem.  (using snort 1.6.3 (win32)  Same
fix also, had to comment it out.

Sean D

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Brent Erickson
Sent: Friday, August 18, 2000 4:37 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] New Vision Rule Problems


Snort does not seem to like the following new vision rule:


alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS305/web-IIS view source
via Translate header"; content: "Translate: F"; nocase; flags: AP;)

If I do not comment out the rule, Snort says there is a content quotation
missing.

Since I am just a beginner with Snort rules, I am not exactly sure what is
missing or out of place.

Maybe it is the : after Translate. Because the quotes are indeed there.

Brent Erickson





More information about the Snort-users mailing list