[Snort-users] Help with a rule

Markus Lude markus.lude at ...348...
Fri Mar 6 14:31:05 EST 2009


On Fri, Mar 06, 2009 at 12:22:42PM -0600, Luis Daniel Lucio Quiroz wrote:
> Thx
> 
> However I apply the rule:
> 
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"text mime type 
> detected in web traffic"; flow:established,from_server; content:"Content-Type 
> |3A| text/"; nocase;?sid:1000001; rev:1; \
                      ^
>  classtype:web-application-activity;)
> 
> I got
> 
> ERROR: Warning: rules/local.rules(10) => Unknown keyword '?sid' in rule!
> Fatal Error, Quitting..
> 
> 
> What I missing?  regards,
> 
> LD

Look at your rule, there is no keyword "?sid". It should be "sid";

Regards,
Markus





More information about the Snort-users mailing list