[Snort-users] IDS484 error
Scott A. McIntyre
scott at ...1050...
Fri Mar 2 10:57:23 EST 2001
> AAAAGGGGHHHH!!! Don't make me think in hex! :)
> Snort dies when I add this rule:
> alert TCP $INTERNAL 2589 -> $EXTERNAL 1024: (msg:
> "IDS484/trojan-active-dagger_1.4.0"; flags: A+; content:
> "3200000006000000|Drives|2400|"; depth: 16;)
> Here's the error from /var/log/messages:
> Mar 2 09:41:08 foo snort: ERROR Line 25 => What is this "r"(0x72) doing in
> your binary buffer? Valid hex values only please! (0x0 - 0xF) Position: 18
Change the content argument to be:
There should be a pipe starting, and stopping, hex data.
The way you had it, the 3200000006000000 was Ascii, and the "Drives" was
More information about the Snort-users