Re: Are commas allowed in signature descriptions?

[waldo kitty <wkitty42 () windstream net>]

On 12/8/2010 09:10, Alex Kirk wrote:
> Yes, you can put commas into a rule msg string. You cannot, however, put
> semicolons in that field, which should make for a reasonable delimiter.

actually not... the "MSG:blah blah blah" section is one of the most troublesome 
areas in snort/IDS rules... why? because there are many tools out there that 
parse the MSG text in CSV format and a comma in them causes all kinds of 
problems... witness the emerging threats rules and how they (have to) take extra 
care to not put commas in the MSG text area of snort/IDS rules...

one specific example is "eval(function(p,a,c,k,e,d)" which is a javascript 
thing... if i understand javascript properly, this denotes 6 functions with the 
single character names of p, a, c, k, e, and d... but i may be incorrect on 
this... however, those commas in the MSG text do cause all kinda of problems and 
are best left out of that text string ;)

> On Wed, Dec 8, 2010 at 7:54 AM, Paul Halliday <paul.halliday () gmail com
> <mailto:paul.halliday () gmail com>> wrote:
>
>     I have an input box where you will be able to put multiple signature
>     names prior to a query.
>
>     What is the safest delimiter?
>
>     Thanks.
>
>     ------------------------------------------------------------------------------
>     What happens now with your Lotus Notes apps - do you make another costly
>     upgrade, or settle for being marooned without product support? Time to move
>     off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
>     use, and manage than apps on traditional platforms. Sign up for the Lotus
>     Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> --
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk () sourcefire com <mailto:alex.kirk () sourcefire com>
>
>
>
> ------------------------------------------------------------------------------
> What happens now with your Lotus Notes apps - do you make another costly
> upgrade, or settle for being marooned without product support? Time to move
> off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
> use, and manage than apps on traditional platforms. Sign up for the Lotus
> Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
This SF Dev2Dev email is sponsored by:

WikiLeaks The End of the Free Internet
http://p.sf.net/sfu/therealnews-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users