[Snort-users] To escape or not to escape the colon

Julian Wiegmann julian.wiegmann at ...15603...
Fri Jul 26 07:02:13 EDT 2013

Classification: Public

As per manual:


; \ "   aka the semi-colon has to be escaped when content matching.   (by what? The manual should say that it is a backslash)

For example:

content: "string\; string2";

However, I have seen some rules where the colon is also escaped:

content: "string\: string2";

but in the same rule I seen a colon that is not escaped also:

content:"Accept: */*|0d0a0d0a|";

Should we or should we not escape a colon?

Or should I just bite the bullet and use hex?

content:"Accept|3A| */*|0d0a0d0a|";

Kind regards,
  Julian Wiegmann

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.

More information about the Snort-users mailing list