Re: pulledpork and colon within in msg-text

["Joel Esler (jesler)" <jesler () cisco com>]

You should not use colons, backslashes, backticks, or semi colons in the rule msg.   

--
Sent from my iPhone

> On Mar 10, 2017, at 16:39, Claus Regelmann <rgc () rgc1 inka de> wrote:
>
> Hello,
>
> pulledpork also generates a file 'sid-msg.map' that maps the sid of a rule to its msg-text.
> And other programs, e.g. barnyard2, rely on this file.
>
> If the msg-text of a rule contains a colon, the corresponding text in sid-msg.map is truncated just before the colon.
> Is ':' a forbidden character in the 'quoted' message text? I never read about, and snort never complained about.
>
> My perl know how is very low, but i think the 'split' in the marked line below causes the problem.
> ---8<-- pulledpork.pl -->8---
> ...
>             my @optarray = split( /(?<!\\);\s*/, $options ) if $options;
>             foreach my $option ( reverse(@optarray) ) {
> > > > > > > > > > > >    my ( $kw, $arg ) = split( /:\s*/, $option ) if $option; <<<<<<<<<<<<
>        my $gid = $k;
>        $gid = 1 if $k == 0;
> ...
> ---8<------------------->8---
> This ':'-split on the rule's text is to simple. It ignores the quotes around the 'msg:' part.
>
> Is there a friendly perl specialist to fix the problem ??
>
> Regards
> Claus
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Announcing the Oxford Dictionaries API! The API offers world-renowned
> dictionary content that is easy and intuitive to access. Sign up for an
> account today to start using our lexical data to power your apps and
> projects. Get started today and enter our developer competition.
> http://sdm.link/oxford
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!