Missing semi-colon didn't elicit an error in sagan
Closed this issue · 1 comments
dmschauer67 commented
Leaving semi-colon off after content in rule did not elicit an error in sagan. It ran but did not allow rule to be read and no error message was seen. Examples follow (first rule missing semicolon, second rule has one) 1st rule didn't fire but elicited no error or stoppage
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] XSS Attack"; content: "CROSS_SITE_SCRIPTING_IN_URL" content: !"DENY"; parse_src_ip: 2; parse_dst_ip: 3; classtype: exploit-attempt; sid: 5002787; rev: 4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] XSS Attack"; content: "CROSS_SITE_SCRIPTING_IN_URL";content: !"DENY"; parse_src_ip: 2; parse_dst_ip: 3; classtype: exploit-attempt; sid: 5002787; rev: 4;)
Deleted user commented
Thanks. This is more of a Sagan issue than a Sagan rules issues. I'll move this ticket asap.
…________________________________
From: dmschauer67 ***@***.***>
Sent: Friday, August 5, 2022 1:01:22 PM
To: quadrantsec/sagan-rules ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [quadrantsec/sagan-rules] Missing semi-colon didn't elicit an error in sagan (Issue #76)
Leaving semi-colon off after content in rule did not elicit an error in sagan. It ran but did not allow rule to be read and no error message was seen. Examples follow (first rule missing semicolon, second rule has one) 1st rule didn't fire but elicited no error or stoppage
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] XSS Attack"; content: "CROSS_SITE_SCRIPTING_IN_URL" content: !"DENY"; parse_src_ip: 2; parse_dst_ip: 3; classtype: exploit-attempt; sid: 5002787; rev: 4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] XSS Attack"; content: "CROSS_SITE_SCRIPTING_IN_URL";content: !"DENY"; parse_src_ip: 2; parse_dst_ip: 3; classtype: exploit-attempt; sid: 5002787; rev: 4;)
—
Reply to this email directly, view it on GitHub<#76>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEA7UXTJNENW7LUPVWSLZADVXVCGFANCNFSM55WWM4NA>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>