[Snort-users] To escape or not to escape the colon

Julian Wiegmann julian.wiegmann at ...15603...
Fri Jul 26 07:02:13 EDT 2013


Classification: Public

As per manual:

http://manual.snort.org/node32.html#SECTION00451000000000000000

; \ "   aka the semi-colon has to be escaped when content matching.   (by what? The manual should say that it is a backslash)

For example:

content: "string\; string2";

However, I have seen some rules where the colon is also escaped:

content: "string\: string2";

but in the same rule I seen a colon that is not escaped also:

content:"Accept: */*|0d0a0d0a|";

Should we or should we not escape a colon?

Or should I just bite the bullet and use hex?

content:"Accept|3A| */*|0d0a0d0a|";



Kind regards,
  Julian Wiegmann
_________________________________________________


---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.




More information about the Snort-users mailing list