Suricata-update parsing problems with modify

Russell_Fulton · October 31, 2021, 7:02pm

I am getting this error from suricata-update
Failed to parse modify filter: 2848122 "classtype:” " http.host; content:!\"zscaler.com/"; classtype:"

The weird bit is that the modify file contains the line:
2848122 "classtype:” " http.host; content:!\"zscaler.com\"; classtype:"

The difference is that the last ‘\’ in the input has somehow morphed into ‘/’!

I have verified that suricata-update is reading the same file as I am editing ; ) been there before!

Question: Is this the correct way to escape '"'s in replacement strings?
If so have I screwed up something else?

Russell_Fulton · November 1, 2021, 8:10pm

finally figured this one out by repeatedly cutting bits out until the error went away.

The problem is in the second quote mark which is not an ascii character. I hate smart quotes!

Topic		Replies	Views
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	655	February 19, 2021
Suricata-update & modify.conf Rules	4	894	February 23, 2021
Rules modified with modify.conf still appear in alerts Help	2	501	January 11, 2022
Modify.conf question Rules	2	484	November 25, 2021
Trying to update Suricata on Oracle VM and get an error	4	317	June 22, 2023