[Snort-users] help writing snort rule

Bill Lopez Bill at ...14048...
Fri Jan 26 01:56:24 EST 2007

Trying to write a simple rule to parse for SSN in plain text - what am I
doing wrong??




alert ip any any -> $EXTERNAL_NET any
(pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear
Text"; sid: 1000004 )



rule returns this error


ERROR: Unterminated rule in file /etc/snort/rules/TEST.rules, line 5

   (Snort rules must be contained on a single line or

    on multiple lines with a '\' continuation character

    at the end of the line,  make sure there are no

    carriage returns before the end of this line)

Fatal Error, Quitting..


Have tried multiple versions of pcre string but always return the same


Bill Lopez

Operating Engineers Trust Funds

(626) 356-3524

(626) 255-1066


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070125/f5f1c389/attachment.html>

More information about the Snort-users mailing list