Snort mailing list archives
rule parser and escaped characters
From: "Chris Clark" <cclark () ece gatech edu>
Date: Tue, 25 Feb 2003 16:59:32 -0500
The Snort Users Manual 1.9.1 mentions some characters that must be escaped in content strings here http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.9 It mentions the 3 characters on the next line " : | However, I have found some other rules that appear to include other escaped characters. The ones I found are on the next line ; ( ) # \ Please check the below rules and let me know if I am interpreting these characters correctly. If so, I suggest that these be added to the manual. This one has \( and \) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data\(command=version\) attempt"; flags:A+; content:"connect_data\(command=version\)"; nocase; classtype:protocol-command-decode; sid:1674; rev:3;) This one has ( in the content string, but it is not escaped alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC readme.eml autoload attempt"; flags:A+; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; reference:url,www.cert.org/advisories/CA-2001-26.html; rev:7;) This one has \\ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flags:A+; content:"\\..|2f 00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:4;) This one has \# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flags:A+; content:"JOIN \: \#"; nocase; offset:0; classtype:misc-activity; sid:1729; rev:2;) This one has \; alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flags:A+; content:"\;id";nocase; sid:1333; classtype:web-application-attack; rev:4;) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rule parser and escaped characters Chris Clark (Feb 25)
- Re: rule parser and escaped characters Chris Green (Feb 25)
- RE: rule parser and escaped characters Chris Clark (Mar 01)
- Re: rule parser and escaped characters Brian (Mar 03)
- RE: rule parser and escaped characters Chris Clark (Mar 01)
- Re: rule parser and escaped characters Chris Green (Feb 25)