Wed Jun 20 08:50:03 EDT 2001

> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing C:";
> content:"c\:"; nocase;)

	Just as a general FYI to the list, having shot myself in the foot
once or twice this way - if you're using a centralized syslog server,
rules like the one above will set up an 'endless loop' of alerts.

	Rule of thumb:  never put the exact content:"" in the msg:"".  
For the above, I'd recommend something like:

alert <blah blah> (msg:"Outgoing C prompt"; "content:"c\:"; nocase;)


