[Snort-users] New Vision Rule Problems (not?)

Max Vision vision at ...4...
Fri Aug 18 21:02:12 EDT 2000


I am using the latest release of Snort and do not have this same
problem.  The rule works with the colon in the content portion.

[audit ~]# snort -V
-*> Snort! <*-
Version 1.6.3
By Martin Roesch (roesch at ...66..., www.snort.org)

Can people who have had problems please send me (or the list) the version
of Snort that you are using when you see the "content quotation" error
message?

In the meantime, I will switch over to the |3a| technique - I have had to
use this before in rules IDS267, IDS120, IDS121, IDS139, and IDS273.  I
reported the problem quite some long time ago and believe that it's since
been fixed.  Since it does work for me with the latest Snort, could
someone else please confirm that they can use content rules with
colons? :)

Thanks!
Max

On Fri, 18 Aug 2000, Jim Forster wrote:
> Just change the rule to use the HEX equiv of the : (3a)
> 
> alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS305/web-IIS view source
> via Translate header"; flags: PA; content: "Translate|3a| F"; nocase;)
> 
> Jim Forster
> Network Administrator
> RapidNet / DakotaConnect
> 
> When I'm feeling down, I like to whistle.
> It makes the neighbor's dog run to the end of his chain and gag himself.
> 
> ----- Original Message -----
> From: "Sean C Doherty" <seand at ...232...>
> To: "Snort-Users" <snort-users at lists.sourceforge.net>
> Sent: Friday, August 18, 2000 3:22 PM
> Subject: RE: [Snort-users] New Vision Rule Problems
> 
> 
> > I have encountered the exact same problem.  (using snort 1.6.3 (win32)
> Same
> > fix also, had to comment it out.
> >
> > Sean D
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Brent
> Erickson
> > Sent: Friday, August 18, 2000 4:37 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] New Vision Rule Problems
> >
> >
> > Snort does not seem to like the following new vision rule:
> >
> >
> > alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS305/web-IIS view source
> > via Translate header"; content: "Translate: F"; nocase; flags: AP;)
> >
> > If I do not comment out the rule, Snort says there is a content quotation
> > missing.
> >
> > Since I am just a beginner with Snort rules, I am not exactly sure what is
> > missing or out of place.
> >
> > Maybe it is the : after Translate. Because the quotes are indeed there.
> >
> > Brent Erickson
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 





More information about the Snort-users mailing list