[Snort-users] New Vision Rule Problems (not?)
mike at ...92...
Sun Aug 20 21:54:45 EDT 2000
> We don't treat colon (`:') as any special character in content argument
> parsing routine (have a look on parse-pattern). Basically only following
> rules apply to content argument:
It appears to to try to parse the colon as another delimiter, such as when
it splits 'content: "|0980|" '
into 'content' and ' "|0980|" '
If you compile mstring.c with DEBUG you can see what is happening:
mSplit got 2 tokens!
[*] Splitting string: content: "Translate: F"
curr_str = 0
max_strs = 3 curr_str = 0
Allocating 9 bytes for token tok: content
curr_str = 1
max_strs = 3 curr_str = 1
Checking if curr_str (1) >= max_strs (3)
Allocating 12 bytes for token tok: "Translate
curr_str = 2
max_strs = 3 curr_str = 2
Checking if curr_str (2) >= max_strs (3)
Allocating 4 bytes for last token tok: F"
mSplit got 3 tokens!
ERROR Line 92 => Content data needs to be enclosed in quotation marks (")!
This is as far as I have gotten in debugging the problem.
As stated before it does not appear to be WIN32 specific. I have tested the
rule on a Debian Linux machine, FreeBSD 4.0 machine, and WIN32. All using
default builds (./configure ; make)
Chief Technical Officer
Data Nerds, LLC.
> all characters should be in range from 0x1f - 0x7e (strange, I would put
> 0x20 for startes, and 0x80 for endings ;-)), if character is `|' and it's
> not prepended by literal character ('\') parser enters hex mode, where
> only 0-9a-fA-F (verified by isxdigit(3)) and spaces are allowed. |
> switches back to `normal' mode. That's it.
> By the way, would you mind to elaborate `have the problem'. Are you
> getting any error message or the rule just `doesn't seem to work'? (sorry
> if I missed any details in earlier posts under this thread).
More information about the Snort-users