[Snort-users] Content "c:"
Sheahan, Paul (PCLN-NW)
Paul.Sheahan at ...2218...
Tue Jun 19 15:47:28 EDT 2001
I'm trying to create a rule that searches for content of "c:" in packets.
But Snort complains that a closing quote is needed. In a prior posting I had
asked about "c:\" and someone mentioned the backslash was a problem. Even
without the backslash this still fails. Ths is the latest test rule I tried:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content:
Snort complains that content needs an ending quote. Apparently the colon
after the "c" is what is messing this up. Does anyone know how to make a
content rule with "c:" or any drive letter as the content?
More information about the Snort-users