[Snort-users] Trouble with home-made rule
dr at ...381...
Sun Jun 17 19:14:11 EDT 2001
Your problem is with the backslash before the quote....
\" is how you escape a quote inside the content string
so it looks like an unterminated string to the parser.
and remember to add another rule for lowercase:
the slash in the message string may be a problem too.
I'd double it up just to make sure....
On Monday 18 June 2001 05:51, Sheahan, Paul (PCLN-NW) wrote:
> I'm expermenting for the first time creating my own rules. I decided to
> create a rule that detects whenever one of my servers responds to an
> external address with "C:\" in the packet in case my servers are giving out
> any info on the local drive without my knowledge. I added this rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:\"; content:
> "c:\"; nocase;)
> And received this error when starting Snort (the rule above is on line 16):
> ERROR Line 16 => Content data needs to be enclosed in quotation marks (")!
> Obviously the closed quotation is there. I thought maybe the ":" in "C:\"
> is confusing Snort? Just a guess. Anyone know how I can fix this?
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users