I am getting this error from suricata-update
Failed to parse modify filter: 2848122 "classtype:” " http.host; content:!\"zscaler.com/"; classtype:"
The weird bit is that the modify file contains the line:
2848122 "classtype:” " http.host; content:!\"zscaler.com\"; classtype:"
The difference is that the last ‘\’ in the input has somehow morphed into ‘/’!
I have verified that suricata-update is reading the same file as I am editing ; ) been there before!
Question: Is this the correct way to escape '"'s in replacement strings?
If so have I screwed up something else?