[Snort-users] help writing snort rule

Nerijus Krukauskas nkrukauskas at ...11827...
Fri Jan 26 02:28:42 EST 2007


On 26/01/07, Bill Lopez <Bill at ...14048...> wrote:
> Trying to write a simple rule to parse for SSN in plain text - what am I
> doing wrong??
<snip>
> alert ip any any -> $EXTERNAL_NET any
> (pcre:"/\d{3}(\s|-)?\d{2}(\s|-)?\d{4}/"; msg:"SSN Detected in Clear
> Text"; sid: 1000004 )

  You forgot ';' at the end after the 'sid' directive: "...; sid:1000004;)". :)

-- 
http://nk99.org/




More information about the Snort-users mailing list