[Snort-users] Trouble with home-made rule
Sheahan, Paul (PCLN-NW)
Paul.Sheahan at ...2218...
Mon Jun 18 01:51:21 EDT 2001
I'm expermenting for the first time creating my own rules. I decided to
create a rule that detects whenever one of my servers responds to an
external address with "C:\" in the packet in case my servers are giving out
any info on the local drive without my knowledge. I added this rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:\"; content:
And received this error when starting Snort (the rule above is on line 16):
ERROR Line 16 => Content data needs to be enclosed in quotation marks (")!
Obviously the closed quotation is there. I thought maybe the ":" in "C:\" is
confusing Snort? Just a guess. Anyone know how I can fix this?
More information about the Snort-users