[Snort-users] Snort 1.7-beta0 and08292k.rules ERROR Line 518 => Content data needs to be enclosed in quotation marks (")!

Fyodor fygrave at ...121...
Mon Sep 25 06:06:47 EDT 2000


~ :I just grabbed the latest snort via cvs, compiled and ran it. It
~ :didn't like line518 in the 08292k.rules file. I can't see anything
~ :wrong with it, all the content is in quotes. Am I missing something?
~ :
~ :This is liine 518 from 08292k.rules;
~ :
~ :alert tcp any any -> $HOME_NET 6667 (flags: PA; content: "USER ";
~ :nocase; offset:0; depth:5; content: " "; offset:11; depth:1; content:
~ :" "; offset: 18; depth:1; content: " :"; offset: 26; depth: 2; msg:
~ :"PrettyPark activity!";)
~ :

replace `content: " :"' with `content: " \:"' and it should go. :)
Some fuzzy logic inside the parser :), should be gone when we switch to
flex, I hope :)




More information about the Snort-users mailing list