[Snort-users] Content "c:"
Sheahan, Paul (PCLN-NW)
Paul.Sheahan at ...2218...
Tue Jun 19 17:25:05 EDT 2001
I'm not using a "\" (backslash). I am strictly searching for a letter
followed by a colon.
I will give Jim's advice a try. Thanks!
From: Erek Adams [mailto:erek at ...577...]
Sent: Tuesday, June 19, 2001 4:28 PM
To: Sheahan, Paul (PCLN-NW)
Cc: Snort List (E-mail)
Subject: Re: [Snort-users] Content "c:"
On Tue, 19 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
> I'm trying to create a rule that searches for content of "c:" in packets.
> But Snort complains that a closing quote is needed. In a prior posting I
> asked about "c:\" and someone mentioned the backslash was a problem. Even
> without the backslash this still fails. Ths is the latest test rule I
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content:
> "c:"; nocase;)
> Snort complains that content needs an ending quote. Apparently the colon
> after the "c" is what is messing this up. Does anyone know how to make a
> content rule with "c:" or any drive letter as the content?
Have a look at the attached message.
More information about the Snort-users