<div dir="ltr"><div>Correction on paragraph so it makes sense (tired):<br><br>I am trying out some local sigs. Whenever I enable this rule or even
strip out some of the content matches it just segfaults. I have others
like it too and they all do the same but I cannot seem to spot what
is wrong. I thought if there is an error in the rule syntax it should
just skip over it anyway? I am using version 2.0 on this sensor.<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 6 August 2014 12:09, Kevin Ross <span dir="ltr"><<a href="mailto:kevross33@googlemail.com" target="_blank">kevross33@googlemail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi,<br><br>I am trying out some local sigs. Whenever I enable this rule or even strip out some of the content matches it just segfaults. I have others like it too and they all reach the same but I cannot seem to spot what is wrong and I though if there is an error in the rule syntax it should just skip over it anyway? I am using version 2.0 on this sensor.<br>
<br>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Potential CnC Response DONE"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Length|3A| 4|0D 0A|"; http_header; file_data; content:"DONE"; within:4; classtype:trojan-activity; sid:1769992; rev;1;)<br>
<br>Thanks,<br>Kevin<br><br></div></div>
</blockquote></div><br></div>