[Snort-users] FYI - Avoiding bullet->foot w/ Syslog (was Content "c:")

A.L.Lambert max at ...1806...
Wed Jun 20 08:50:03 EDT 2001


> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing C:";
> content:"c\:"; nocase;)

	Just as a general FYI to the list, having shot myself in the foot
once or twice this way - if you're using a centralized syslog server,
rules like the one above will set up an 'endless loop' of alerts.

	Rule of thumb:  never put the exact content:"" in the msg:"".  
For the above, I'd recommend something like:

alert <blah blah> (msg:"Outgoing C prompt"; "content:"c\:"; nocase;)

	Cheers!

-- A.L.Lambert
------------------------------------------------------------------------
Everything should be made as simple as possible, but not simpler.
	-Einstein
------------------------------------------------------------------------





More information about the Snort-users mailing list