Suricata-update parsing problems with modify

Russell_Fulton · October 31, 2021, 7:02pm

I am getting this error from suricata-update
Failed to parse modify filter: 2848122 "classtype:” " http.host; content:!\"zscaler.com/"; classtype:"

The weird bit is that the modify file contains the line:
2848122 "classtype:” " http.host; content:!\"zscaler.com\"; classtype:"

The difference is that the last ‘\’ in the input has somehow morphed into ‘/’!

I have verified that suricata-update is reading the same file as I am editing ; ) been there before!

Question: Is this the correct way to escape '"'s in replacement strings?
If so have I screwed up something else?

Russell_Fulton · November 1, 2021, 8:10pm

finally figured this one out by repeatedly cutting bits out until the error went away.

The problem is in the second quote mark which is not an ascii character. I hate smart quotes!

Topic		Replies	Views
Suricata-update & modify.conf Rules	4	768	February 23, 2021
Rules modified with modify.conf still appear in alerts Help	2	458	January 11, 2022
[errcode: sc_err_conf_yaml_error(242)] Help	4	1620	June 7, 2023
Issue with modifying rule more than once suricata-update Rules	4	913	January 11, 2021
Weirdness in surcicata-update over last week	5	946	November 3, 2021