[Snort-users] New Vision Rule Problems (not?)
mike at ...92...
Sun Aug 20 23:46:05 EDT 2000
> The fact that the text in question is enclosed in quotes makes no
> difference to mSplit. So, mSplit gives a token that isn't enclosed in
I think it should. mSplit() should split on ':' then since the data after
the colon is in quotes it should strip the quotes and use exactly what was
inside of the quotes. If you need quotes within the quotes then use the
meta character (\"). mSplit() should know the difference between 'content:
"Blah" ' and 'content: "Blah : Blah" '
That is just my two cents.
Chief Technical Officer
Data Nerds, LLC.
> quotes, and the content plugin hangs up on it.
> Dr. Christopher E. Cramer
> Associate in Research
> Duke University, Department of Electrical and Computer Engineering
> 114 Hudson Hall, Box 90291, Durham, NC 27708-0291
> PH: 919-660-5248 FAX: 919-660-5293 email: cec at ...68...
> On Sun, 20 Aug 2000, Michael Davis wrote:
> > Hello,
> > > We don't treat colon (`:') as any special character in content
> > > parsing routine (have a look on parse-pattern). Basically only
> > > rules apply to content argument:
> > It appears to to try to parse the colon as another delimiter, such as
> > it splits 'content: "|0980|" '
> > into 'content' and ' "|0980|" '
> > If you compile mstring.c with DEBUG you can see what is happening:
> > mSplit got 2 tokens!
> > [*] Splitting string: content: "Translate: F"
> > curr_str = 0
> > max_strs = 3 curr_str = 0
> > Allocating 9 bytes for token tok: content
> > curr_str = 1
> > max_strs = 3 curr_str = 1
> > Checking if curr_str (1) >= max_strs (3)
> > Allocating 12 bytes for token tok: "Translate
> > curr_str = 2
> > max_strs = 3 curr_str = 2
> > Checking if curr_str (2) >= max_strs (3)
> > Allocating 4 bytes for last token tok: F"
> > mSplit got 3 tokens!
> > ERROR Line 92 => Content data needs to be enclosed in quotation marks
> > This is as far as I have gotten in debugging the problem.
> > As stated before it does not appear to be WIN32 specific. I have tested
> > rule on a Debian Linux machine, FreeBSD 4.0 machine, and WIN32. All
> > default builds (./configure ; make)
> > Michael Davis
> > Chief Technical Officer
> > Data Nerds, LLC.
> > http://www.datanerds.net
> > > all characters should be in range from 0x1f - 0x7e (strange, I would
> > > 0x20 for startes, and 0x80 for endings ;-)), if character is `|' and
> > > not prepended by literal character ('\') parser enters hex mode, where
> > > only 0-9a-fA-F (verified by isxdigit(3)) and spaces are allowed. |
> > > switches back to `normal' mode. That's it.
> > >
> > > By the way, would you mind to elaborate `have the problem'. Are you
> > > getting any error message or the rule just `doesn't seem to work'?
> > > if I missed any details in earlier posts under this thread).
> > >
> > >
> > >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
More information about the Snort-users