[Snort-users] New Vision Rule Problems (not?)
cec at ...68...
Sun Aug 20 23:29:03 EDT 2000
I see the same problems under Snort 1.6.3 on a Solaris 2.7 box.
The error is:
ERROR Line 1 => Content data needs to be enclosed in quotation marks (")!
The solution is fairly simple, rewrite the rule as:
alert TCP any any -> any 80 (msg: "IDS305/web-IIS view source via
Translate header"; content: "Translate\: F"; nocase; flags: AP;)
Basically, prepend the : with a \. What is happening is that the rules
parser is making a call to mSplit(). This function is splitting based on
the ':'. The way of avoiding this is to use the "meta" character, which
in the case of the rules call to mSplit is \, to indicate that this
particular : should not indicate a token separator.
The fact that the text in question is enclosed in quotes makes no
difference to mSplit. So, mSplit gives a token that isn't enclosed in
quotes, and the content plugin hangs up on it.
Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC 27708-0291
PH: 919-660-5248 FAX: 919-660-5293 email: cec at ...68...
On Sun, 20 Aug 2000, Michael Davis wrote:
> > We don't treat colon (`:') as any special character in content argument
> > parsing routine (have a look on parse-pattern). Basically only following
> > rules apply to content argument:
> It appears to to try to parse the colon as another delimiter, such as when
> it splits 'content: "|0980|" '
> into 'content' and ' "|0980|" '
> If you compile mstring.c with DEBUG you can see what is happening:
> mSplit got 2 tokens!
> [*] Splitting string: content: "Translate: F"
> curr_str = 0
> max_strs = 3 curr_str = 0
> Allocating 9 bytes for token tok: content
> curr_str = 1
> max_strs = 3 curr_str = 1
> Checking if curr_str (1) >= max_strs (3)
> Allocating 12 bytes for token tok: "Translate
> curr_str = 2
> max_strs = 3 curr_str = 2
> Checking if curr_str (2) >= max_strs (3)
> Allocating 4 bytes for last token tok: F"
> mSplit got 3 tokens!
> ERROR Line 92 => Content data needs to be enclosed in quotation marks (")!
> This is as far as I have gotten in debugging the problem.
> As stated before it does not appear to be WIN32 specific. I have tested the
> rule on a Debian Linux machine, FreeBSD 4.0 machine, and WIN32. All using
> default builds (./configure ; make)
> Michael Davis
> Chief Technical Officer
> Data Nerds, LLC.
> > all characters should be in range from 0x1f - 0x7e (strange, I would put
> > 0x20 for startes, and 0x80 for endings ;-)), if character is `|' and it's
> > not prepended by literal character ('\') parser enters hex mode, where
> > only 0-9a-fA-F (verified by isxdigit(3)) and spaces are allowed. |
> > switches back to `normal' mode. That's it.
> > By the way, would you mind to elaborate `have the problem'. Are you
> > getting any error message or the rule just `doesn't seem to work'? (sorry
> > if I missed any details in earlier posts under this thread).
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users