Snort mailing list archives
Trouble with home-made rule
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Mon, 18 Jun 2001 01:51:21 -0400
Hello,
I'm expermenting for the first time creating my own rules. I decided to
create a rule that detects whenever one of my servers responds to an
external address with "C:\" in the packet in case my servers are giving out
any info on the local drive without my knowledge. I added this rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:\"; content:
"c:\"; nocase;)
And received this error when starting Snort (the rule above is on line 16):
ERROR Line 16 => Content data needs to be enclosed in quotation marks (")!
Obviously the closed quotation is there. I thought maybe the ":" in "C:\" is
confusing Snort? Just a guess. Anyone know how I can fix this?
Thanks!
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Trouble with home-made rule Sheahan, Paul (PCLN-NW) (Jun 17)
- Re: Trouble with home-made rule Dragos Ruiu (Jun 17)
- Re: Trouble with home-made rule Brian Caswell (Jun 17)
- Re: Trouble with home-made rule Dragos Ruiu (Jun 17)
- Re: Trouble with home-made rule Dragos Ruiu (Jun 17)
- Re: Trouble with home-made rule Brian Caswell (Jun 17)
- Re: Trouble with home-made rule Dragos Ruiu (Jun 17)