[Snort-users] New Vision Rule Problems (not?)

Michael Davis mike at ...92...
Sun Aug 20 00:20:43 EDT 2000


Hello,

> Seems like this is particular to the win32 version.  I looked at the diff
> between Marty's rules.c from 1.6.3 versus the rules.c of the win32 1.6,
> 1.6.2.2, and 1.6.3 and didn't see anthing that would cause this.
> Any ideas? :)

It does not seem to effect only the WIN32 version. I have tried it on
FreeBSD 4.0-RELEASE, Linux 2.0.38 and Win32. All were version 1.6.3 and all
have the problem.

The exact line I used to test was the following:

alert TCP any any -> any 80 (msg: "IDS305/web-IIS view source via Translate
header"; content: "Translate: F"; nocase; flags: AP;)

I would debug the problem, however, I have about 5000 other things that
customers, family, etc are making a little more important :)

Sorry,
Michael Davis
Chief Technical Officer
Data Nerds, LLC.
http://www.datanerds.net
> Max
>
> On Sat, 19 Aug 2000, Sean C Doherty wrote:
> > Max,
> > >
> > > Can people who have had problems please send me (or the list) the
version
> > > of Snort that you are using when you see the "content quotation" error
> > > message?
> > >
> >
> > I am running the Win32 1.6.3 version of snort and have the ":' problem
> >
> > The fix posted by Jim i.e. replacing the colon with |3a| worked real
fine,
> > thanks Jim!
> >
> > Sean D
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
>
>





More information about the Snort-users mailing list