[Snort-users] IDS484 error

Olivier Grumelard olivier.grumelard at ...1463...
Fri Mar 2 10:07:45 EST 2001


Hi,

The '|' delimiter is used to insert hexa code into the 'content:' field.
"3200000006000000|Drives|2400|" is interpreted as *string*
"3200000006000000", followed by *hex code* "Drives" ('D' doesn't trigger an
error, but 'r' does), and so on... You should start with a '|', and snort
will be able to parse the rule. Your rule should read:

alert TCP $INTERNAL 2589 -> $EXTERNAL 1024: (msg:
"IDS484/trojan-active-dagger_1.4.0"; flags: A+; content:
"|3200000006000000|Drives|2400|"; depth: 16;)

Cheers,

Olivier.


At 09:49 02/03/01 -0500, Joshua Fritsch wrote:
>AAAAGGGGHHHH!!! Don't make me think in hex! :)
>
>Snort dies when I add this rule:
>
>alert TCP $INTERNAL 2589 -> $EXTERNAL 1024: (msg:
>"IDS484/trojan-active-dagger_1.4.0"; flags: A+; content:
>"3200000006000000|Drives|2400|"; depth: 16;)
>Here's the error from /var/log/messages:
>
>Mar  2 09:41:08 foo snort: ERROR Line 25 => What is this "r"(0x72) doing in
>your binary buffer?  Valid hex values only please! (0x0 - 0xF) Position: 18
>
>Rule taken from:
>
>http://www.whitehats.com/info/IDS484
>
>-J
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>
>





More information about the Snort-users mailing list