[Snort-users] Broken snort rule

Matt Jonkman jonkman at ...4024...
Tue Oct 7 18:08:45 EDT 2008


Except in references and such.

Joel Esler wrote:
> colons, semicolons, quotes, and backslashes should all be specified in
> hex. 
> 
> J
> 
> On Tue, Oct 7, 2008 at 5:16 PM, Matt Jonkman <jonkman at ...4024...
> <mailto:jonkman at ...4024...>> wrote:
> 
>     How about unescaped colons and semicolons, etc?
> 
>     Thanks for the info Matt. I hadn't seen that option. Time to upgrade.
> 
>     Matt
> 
>     Matt Olney wrote:
>     > Actually, in snort 2.8.3.3 <http://2.8.3.3> <http://2.8.3.3>, the
>     -x control:
>     >
>     > -x         Exit if Snort configuration problems occur
>     >
>     > will fail out on many common rule problems.   For example,
>     duplicate sids.
>     >
>     > Matt
>     >
>     > On Tue, Oct 7, 2008 at 2:30 PM, Paul Schmehl <pauls at ...6838...
>     <mailto:pauls at ...6838...>
>     > <mailto:pauls at ...6838... <mailto:pauls at ...6838...>>> wrote:
>     >
>     >     --On Tuesday, October 07, 2008 11:48:45 -0500 Matt Jonkman
>     >     <jonkman at ...4024... <mailto:jonkman at ...4024...>
>     <mailto:jonkman at ...4024... <mailto:jonkman at ...4024...>>> wrote:
>     >
>     >
>     >         Cool, I had stopped testing of the autogenerated rules because
>     >         it didn't
>     >         seem to be of much use. Will turn that back on.
>     >
>     >         Is there an easy way to parse the other rules though for
>     more subtle
>     >         errors? Or force verbosity to get it to tell us about
>     rules ignored?
>     >
>     >
>     >     does # snort -Tvvvvvv not do the trick?
>     >
>     >     --
>     >     Paul Schmehl (pauls at ...6838... <mailto:pauls at ...6838...>
>     <mailto:pauls at ...6838... <mailto:pauls at ...6838...>>)
>     >     Senior Information Security Analyst
>     >     The University of Texas at Dallas
>     >     http://www.utdallas.edu/ir/security/
>     >
>     >
> 
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     --------------------------------------------
> 
>     PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
>     -------------------------------------------------------------------------
>     This SF.Net email is sponsored by the Moblin Your Move Developer's
>     challenge
>     Build the coolest Linux based applications with Moblin SDK & win
>     great prizes
>     Grand prize is a trip for two to an Open Source event anywhere in
>     the world
>     http://moblin-contest.org/redirect.php?banner_id=100&url=/
>     <http://moblin-contest.org/redirect.php?banner_id=100&url=/>
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users
>     <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
>     list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> -- 
> Joel Esler
>   Cell: 706-231-1451
>   AIM:  eslerjoel
> [m]

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-users mailing list