[Snort-users] New Vision Rule Problems (not?)

Fyodor fygrave at ...121...
Sun Aug 20 04:32:52 EDT 2000


~ :> 
~ :> alert TCP any any -> any 80 (msg: "IDS305/web-IIS view source via Translate
~ :> header"; content: "Translate: F"; nocase; flags: AP;)
~ :> 
~ :
~ :Thanks for the clarification - I only suggested that you look at it as I
~ :could personally use this rule in the unix snort distribution 1.6.3 -
~ :but had heard two reports from win32 users that they had trouble (and
~ :had not heard other reports of unix trouble until your email above)
~ :
~ :`I am running the Win32 1.6.3 ver... and have the ":' problem` -Sean D
~ :`I am using Snort version 1.6.3 running on Windows NT.` -Brent E
~ :
~ :I guess the only odd thing is that it works fine for me under 1.6.3 on
~ :Redhat 6.2.  I'll have a look since I seem to be the only person reporting
~ :colons working in content rules working...

 We don't treat colon (`:') as any special character in content argument
parsing routine (have a look on parse-pattern). Basically only following
rules apply to content argument:

all characters should be in range from 0x1f - 0x7e (strange, I would put
0x20 for startes, and 0x80 for endings ;-)), if character is `|' and it's
not prepended by literal character ('\') parser enters hex mode, where
only 0-9a-fA-F  (verified by isxdigit(3)) and spaces are allowed. |
switches back to `normal' mode. That's it.

By the way, would you mind to elaborate `have the problem'. Are you
getting any error message or the rule just `doesn't seem to work'? (sorry
if I missed any details in earlier posts under this thread).






More information about the Snort-users mailing list