[Snort-users] Help with a rule
markus.lude at ...348...
Fri Mar 6 14:31:05 EST 2009
On Fri, Mar 06, 2009 at 12:22:42PM -0600, Luis Daniel Lucio Quiroz wrote:
> However I apply the rule:
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"text mime type
> detected in web traffic"; flow:established,from_server; content:"Content-Type
> |3A| text/"; nocase;?sid:1000001; rev:1; \
> I got
> ERROR: Warning: rules/local.rules(10) => Unknown keyword '?sid' in rule!
> Fatal Error, Quitting..
> What I missing? regards,
Look at your rule, there is no keyword "?sid". It should be "sid";
More information about the Snort-users