[Snort-users] Help with a rule

Luis Daniel Lucio Quiroz luis.daniel.lucio at ...11827...
Fri Mar 6 16:25:38 EST 2009


You were right,

there was a invisible character.

On Friday 06 March 2009 13:31:05 Markus Lude wrote:
> On Fri, Mar 06, 2009 at 12:22:42PM -0600, Luis Daniel Lucio Quiroz wrote:
> > Thx
> >
> > However I apply the rule:
> >
> > alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"text mime type
> > detected in web traffic"; flow:established,from_server;
> > content:"Content-Type
> >
> > |3A| text/"; nocase;?sid:1000001; rev:1; \
>
>                       ^
>
> >  classtype:web-application-activity;)
> >
> > I got
> >
> > ERROR: Warning: rules/local.rules(10) => Unknown keyword '?sid' in rule!
> > Fatal Error, Quitting..
> >
> >
> > What I missing?  regards,
> >
> > LD
>
> Look at your rule, there is no keyword "?sid". It should be "sid";
>
> Regards,
> Markus
>
>
> ---------------------------------------------------------------------------
>--- Open Source Business Conference (OSBC), March 24-25, 2009, San
> Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing
> the Enterprise -Strategies to boost innovation and cut costs with open
> source participation -Receive a $600 discount off the registration fee with
> the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list