Snort mailing list archives
RE: Content "c:"
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Tue, 19 Jun 2001 17:25:05 -0400
I'm not using a "\" (backslash). I am strictly searching for a letter followed by a colon. I will give Jim's advice a try. Thanks! -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Tuesday, June 19, 2001 4:28 PM To: Sheahan, Paul (PCLN-NW) Cc: Snort List (E-mail) Subject: Re: [Snort-users] Content "c:" On Tue, 19 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
I'm trying to create a rule that searches for content of "c:" in packets. But Snort complains that a closing quote is needed. In a prior posting I
had
asked about "c:\" and someone mentioned the backslash was a problem. Even without the backslash this still fails. Ths is the latest test rule I
tried:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content: "c:"; nocase;) Snort complains that content needs an ending quote. Apparently the colon after the "c" is what is messing this up. Does anyone know how to make a content rule with "c:" or any drive letter as the content?
Paul, Have a look at the attached message. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content "c:" Sheahan, Paul (PCLN-NW) (Jun 19)
- Re: Content "c:" Erek Adams (Jun 19)
- <Possible follow-ups>
- RE: Content "c:" Sheahan, Paul (PCLN-NW) (Jun 19)
- Re: Content "c:" Graham M Locke (Jun 20)
- FYI - Avoiding bullet->foot w/ Syslog (was Content "c:") A.L.Lambert (Jun 20)