Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » native characters in content: rule

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

native characters in content: rule


Posted by imsodul on April 27, 2005 03:01:51


When I enter a language native character (above ascii dec 127) in a content: "rule" Snort refuses to start. Must I encode those characters in some way?
Running Snort on Linux.

Posted by nigel on May 03, 2005 17:39:21

Can you post the error?

Have you tried using the hex equivalent for those characters in your rule?

Posted by imsodul on May 04, 2005 09:02:28

No error resolved in log files. Do you suggests hex insert like "Link&D6ping" ? I could not get that to work.


Regards

Posted by nigel on May 04, 2005 12:36:52

If you run snort from the command line is there an error?

If you want to use hex characters in your content the hex must be surrounded with pipe characters like this -> content:"Link|D6|ping";

Take a look in the snort manual regarding content matches and you'll see examples.
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.