[Snort-users] New Vision Rule Problems

Jim Forster jforster at ...176...
Fri Aug 18 17:39:01 EDT 2000


Just change the rule to use the HEX equiv of the : (3a)

alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS305/web-IIS view source
via Translate header"; flags: PA; content: "Translate|3a| F"; nocase;)

Jim Forster
Network Administrator
RapidNet / DakotaConnect

When I'm feeling down, I like to whistle.
It makes the neighbor's dog run to the end of his chain and gag himself.

----- Original Message -----
From: "Sean C Doherty" <seand at ...232...>
To: "Snort-Users" <snort-users at lists.sourceforge.net>
Sent: Friday, August 18, 2000 3:22 PM
Subject: RE: [Snort-users] New Vision Rule Problems


> I have encountered the exact same problem.  (using snort 1.6.3 (win32)
Same
> fix also, had to comment it out.
>
> Sean D
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Brent
Erickson
> Sent: Friday, August 18, 2000 4:37 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] New Vision Rule Problems
>
>
> Snort does not seem to like the following new vision rule:
>
>
> alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS305/web-IIS view source
> via Translate header"; content: "Translate: F"; nocase; flags: AP;)
>
> If I do not comment out the rule, Snort says there is a content quotation
> missing.
>
> Since I am just a beginner with Snort rules, I am not exactly sure what is
> missing or out of place.
>
> Maybe it is the : after Translate. Because the quotes are indeed there.
>
> Brent Erickson
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list