OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Snort-users] Re: [Snort-sigs] Bad escape sequence?

From: Ali Eghtessadi (alibabcockbrown.com)
Date: Fri Sep 30 2005 - 10:16:42 CDT

Speedy gonzales CIO

sekure wrote:

>That was what I tried after i fired off the email and it worked.
>
>Thanks!
>
>On 9/30/05, Joel Esler <joel.eslersourcefire.com> wrote:
>
>
>>you may not need to escape it anymore. remove the "\"
>>
>>J
>>On Sep 30, 2005, at 9:31 AM, sekure wrote:
>>
>>
>>
>>>I have a rule in my local.rules that i picked up somewhere on the
>>>mailing lists:
>>>
>>>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IE suspicious
>>>access to WSH (Windows Script Host)"; flow: from_server,established;
>>>content:"object"; nocase; content:"id"; nocase; content:"wsh"; nocase;
>>>content:"classid"; nocase; content:"clsid\:"; nocase;
>>>content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; nocase; content:"\/";
>>>nocase; content:"object"; nocase; reference: url,
>>>http.www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm;
>>>classtype:misc-attack; sid:1000042; rev:1;)
>>>
>>>I just upgraded from 2.4.0 to 2.4.2 and upon launching snort i get:
>>>"bad escape sequence starting with "\/". Fatal Error, Quitting.."
>>>This used to work with 2.4.0 and before. What changed?
>>>
>>>Thanks,
>>>
>>>
>>>-------------------------------------------------------
>>>This SF.Net email is sponsored by:
>>>Power Architecture Resource Center: Free content, downloads,
>>>discussions,
>>>and more. http://solutions.newsforge.com/ibmarch.tmpl
>>>_______________________________________________
>>>Snort-sigs mailing list
>>>Snort-sigslists.sourceforge.net
>>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>>
>>>
>>
>>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by:
>Power Architecture Resource Center: Free content, downloads, discussions,
>and more. http://solutions.newsforge.com/ibmarch.tmpl
>_______________________________________________
>Snort-users mailing list
>Snort-userslists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>

--
Ali Eghtessadi
Chief Information Officer
Babcock & Brown
Phone : 415-267-1626
Email : alibabcockbrown.com

This email message may contain information that is confidential and proprietary to Babcock & Brown or a third party. If you are not the intended recipient, please contact the sender and destroy the original and any copies of the original message. Babcock & Brown takes measures to protect the content of its communications. However, Babcock & Brown cannot guarantee that email messages will not be intercepted by third parties or that email messages will be free of errors or viruses.

If you do not wish to receive any further e-mail from Babcock & Brown, please send an email to opt-outbabcockbrown.com.

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users