[Snort-users] Re: [Snort-sigs] Bad escape sequence?

Ali Eghtessadi ali at ...3823...
Fri Sep 30 08:19:02 EDT 2005


Speedy gonzales CIO

sekure wrote:

>That was what I tried after i fired off the email and it worked.
>
>Thanks!
>
>On 9/30/05, Joel Esler <joel.esler at ...1935...> wrote:
>  
>
>>you may not need to escape it anymore.  remove the "\"
>>
>>J
>>On Sep 30, 2005, at 9:31 AM, sekure wrote:
>>
>>    
>>
>>>I have a rule in my local.rules that i picked up somewhere on the
>>>mailing lists:
>>>
>>>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IE suspicious
>>>access to WSH (Windows Script Host)"; flow: from_server,established;
>>>content:"object"; nocase; content:"id"; nocase; content:"wsh"; nocase;
>>>content:"classid"; nocase; content:"clsid\:"; nocase;
>>>content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; nocase; content:"\/";
>>>nocase; content:"object"; nocase; reference: url,
>>>http.www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm;
>>>classtype:misc-attack; sid:1000042; rev:1;)
>>>
>>>I just upgraded from 2.4.0 to 2.4.2 and upon launching snort i get:
>>>"bad escape sequence starting with "\/". Fatal Error, Quitting.."
>>>This used to work with 2.4.0 and before.  What changed?
>>>
>>>Thanks,
>>>
>>>
>>>-------------------------------------------------------
>>>This SF.Net email is sponsored by:
>>>Power Architecture Resource Center: Free content, downloads,
>>>discussions,
>>>and more. http://solutions.newsforge.com/ibmarch.tmpl
>>>_______________________________________________
>>>Snort-sigs mailing list
>>>Snort-sigs at lists.sourceforge.net
>>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>>      
>>>
>>    
>>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by:
>Power Architecture Resource Center: Free content, downloads, discussions,
>and more. http://solutions.newsforge.com/ibmarch.tmpl
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>  
>

-- 
Ali Eghtessadi
Chief Information Officer
Babcock & Brown
Phone : 415-267-1626
Email : ali at ...3823...





This email message may contain information that is confidential and proprietary to Babcock & Brown or a third party. If you are not the intended recipient, please contact the sender and destroy the original and any copies of the original message. Babcock & Brown takes measures to protect the content of its communications. However, Babcock & Brown cannot guarantee that email messages will not be intercepted by third parties or that email messages will be free of errors or viruses. 

If you do not wish to receive any further e-mail from Babcock & Brown, please send an email to opt-out at ...13545...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050930/411be243/attachment.html>


More information about the Snort-users mailing list