That was what I tried after i fired off the email and it worked.
Thanks!
On 9/30/05, Joel Esler <joel.esler@sourcefire.com> wrote:
you may not need to escape it anymore. remove the "\"
J
On Sep 30, 2005, at 9:31 AM, sekure wrote:
I have a rule in my local.rules that i picked up somewhere on the
mailing lists:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IE suspicious
access to WSH (Windows Script Host)"; flow: from_server,established;
content:"object"; nocase; content:"id"; nocase; content:"wsh"; nocase;
content:"classid"; nocase; content:"clsid\:"; nocase;
content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; nocase; content:"\/";
nocase; content:"object"; nocase; reference: url,
http.www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm;
classtype:misc-attack; sid:1000042; rev:1;)
I just upgraded from 2.4.0 to 2.4.2 and upon launching snort i get:
"bad escape sequence starting with "\/". Fatal Error, Quitting.."
This used to work with 2.4.0 and before. What changed?
Thanks,
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads,
discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
