Snort mailing list archives

Re: Content "c:"

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 19 Jun 2001 13:28:12 -0700 (PDT)

On Tue, 19 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:


I'm trying to create a rule that searches for content of "c:" in packets.
But Snort complains that a closing quote is needed. In a prior posting I had
asked about "c:\" and someone mentioned the backslash was a problem. Even
without the backslash this still fails. Ths is the latest test rule I tried:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content:
"c:"; nocase;)

Snort complains that content needs an ending quote. Apparently the colon
after the "c" is what is messing this up. Does anyone know how to make a
content rule with "c:" or any drive letter as the content?


Paul,

        Have a look at the attached message.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

Attachment: meep
Description:

Current thread:

Content "c:" Sheahan, Paul (PCLN-NW) (Jun 19)
- Re: Content "c:" Erek Adams (Jun 19)
- <Possible follow-ups>
- RE: Content "c:" Sheahan, Paul (PCLN-NW) (Jun 19)
- Re: Content "c:" Graham M Locke (Jun 20)
  - FYI - Avoiding bullet->foot w/ Syslog (was Content "c:") A.L.Lambert (Jun 20)