Suricata-update parsing problems with modify

I am getting this error from suricata-update
Failed to parse modify filter: 2848122 "classtype:” " http.host; content:!\"zscaler.com/"; classtype:"

The weird bit is that the modify file contains the line:
2848122 "classtype:” " http.host; content:!\"zscaler.com\"; classtype:"

The difference is that the last ‘\’ in the input has somehow morphed into ‘/’!

I have verified that suricata-update is reading the same file as I am editing ; ) been there before!

Question: Is this the correct way to escape '"'s in replacement strings?
If so have I screwed up something else?

finally figured this one out by repeatedly cutting bits out until the error went away.

The problem is in the second quote mark which is not an ascii character. I hate smart quotes!

1 Like