[Snort-users] Content list 2

Matt Kettler mkettler at ...4108...
Thu Dec 5 11:04:03 EST 2002

<removing cross-post to snort-sigs, leaving this only on snort-users>

Hmm, why are there \ characters in the MIDDLE of the line in a snort rule?? 
Those should only exist where there's a line break to prevent the line 
break from terminating the rule.

Those rules should be (note the removal of one mis-placed \ per rule)

alert tcp any any -> any
(content: "|CAFEBABE|";content: "|AB3FFC0B|"; \
nocase; msg:"Fake Stuff";)

alert tcp any any -> any \
(content: "|CAFEBABE|";nocase; msg:"Cool Stuff";)

At 01:16 PM 12/5/2002 -0300, Aditya at ...7657... wrote:

>Hi Friends
>Hi Matt Kettler you were right about contents they real do AND
>operations :)
>I was mistaken. But now i have another doubt, inside my snort.conf file
>i just included directly these two rules
>alert tcp any any -> any
>(content: "|CAFEBABE|";\content: "|AB3FFC0B|"; \
>nocase; msg:"Fake Stuff";)
>alert tcp any any -> any \
>(content: "|CAFEBABE|";\nocase; msg:"Cool Stuff";)
>It doesn´t acuse no error , snort understands the rules, but my alerts
>or not generated, I want to know were I am wrong, if you or someone else
>could help me  please!!!
>The funny thing is when i use an activate dynamic rule the alert is
>generated, like this one
>activate tcp any any -> any (content: "|CAFEBABE|";\
>activates: 1; nocase; msg:"Cool Stuff";)
>dynamic tcp any any -> any (activated_by: 1; count: 10;)
>INPE- Brazilian Space Research Center

More information about the Snort-users mailing list