Re: [Snort-sigs] Bad escape sequence?

As a hopefully useful side note, the Sourcefire VRT policy when dealing 
with characters that might need to be escaped is to simply encode them 
as hexadecimal. For example, the content in question here would be 
"|2F|", and content:"clsid\:" would be content:"clsid|3A|". This has 
kept our lives much simpler over time, since doing so removed even the 
possibility of a rule being affected by parser issues (whether bugs or 
changes in behavior). It is probably in the best interests of anyone 
writing rules to follow this policy, as it will ensure that your rules 
are problem-free irrespective of the version of Snort you or those using 
your rules are running.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> That was what I tried after i fired off the email and it worked.
>
> Thanks!
>
> On 9/30/05, Joel Esler <joel.esler@sourcefire.com> wrote:
>  
>
> > you may not need to escape it anymore.  remove the "\"
> >
> > J
> > On Sep 30, 2005, at 9:31 AM, sekure wrote:
> >
> >   
> >
> > > I have a rule in my local.rules that i picked up somewhere on the
> > > mailing lists:
> > >
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IE suspicious
> > > access to WSH (Windows Script Host)"; flow: from_server,established;
> > > content:"object"; nocase; content:"id"; nocase; content:"wsh"; nocase;
> > > content:"classid"; nocase; content:"clsid\:"; nocase;
> > > content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; nocase; content:"\/";
> > > nocase; content:"object"; nocase; reference: url,
> > > http.www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm;
> > > classtype:misc-attack; sid:1000042; rev:1;)
> > >
> > > I just upgraded from 2.4.0 to 2.4.2 and upon launching snort i get:
> > > "bad escape sequence starting with "\/". Fatal Error, Quitting.."
> > > This used to work with 2.4.0 and before.  What changed?
> > >
> > > Thanks,
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by:
> > > Power Architecture Resource Center: Free content, downloads,
> > > discussions,
> > > and more. http://solutions.newsforge.com/ibmarch.tmpl
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > >
> > >
> > >     
> >
> >   
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>  



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs