Video Screencast Help

Would like to clear up confusion - based on posts in connect

Created: 21 Aug 2012 • Updated: 23 Aug 2012 | 3 comments
This issue has been solved. See solution.

Over the last few years, or as long as I've been using custom IPS in SEP, which is quite a while.
I've done all the digging and learning I could - some from the help included in SEP, some from KB articles - and technical documents, and some from the forums here.

However, I have yet to find a conclusive 100% Symantec supported, all-agree final answer to the question I'm about to post.
Another search today gave me two different answers! One said "there should be", another said "no space after the , before....." and another was really unsure himself as to which it was.

The question is - in the sample IPS string below, should there be or should there not be a space after the , that is just before the words content="xxxxxxxxx"

rule tcp, dest=(80,443), msg="ZugoLaunch installer", content=""

So the question is - is THIS correct ->   rule tcp, dest=(80,443), msg="ZugoLaunch installer", content=""
Is THIS correct ->rule tcp, dest=(80,443), msg="ZugoLaunch installer",content=""

and to confuse things more-  I read a recent post saying there should be a space after every comma - after every ,  in an IPS def.
But in the past, someone said "no spaces".

Funny, no matter how it is said, or what is said, no "Symantec regular" or bonifide employee who gets regular pay from Symantec and who has an insiders look at the product, what works, what doesn't, has responded to agree or disagree with any of the above. So it appears one could gather that Symantec support doesn't care, or doesn't know?  surprise

So, for the record, the official word, the final word, straight from development team if necessary, should there be spaces after the ,  or no spaces after the , and does the answer apply to all of them, or just the one before the word content like was stated in the past?



Comments 3 CommentsJump to latest comment

ᗺrian's picture

Should be a space after every comma


rule tcp, source=(), saddr=$LOCALHOST, msg="[SID: xxxxx] Add alert message", content="Signature content here"

I've went round and round on this as well and this is best practice for syntax. Never had it fail or an error in the log on the client using this syntax.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

David-Z's picture


As Brian81 mentioned, the best practice is to place a space after every comma that is a part of the syntax. I apologize for any confusion you encountered as you researched into this.

Hope that helps!

David Z.

Senior Program Manager, Symantec Corporation

Enterprise Security

ShadowsPapa's picture

Yes, that helps. I was seeing the other posts where one in particular said he was told that there should be no space after the comma just before the "content" word, and others said no spaces, and then some said spaces after each. I have also run into products that require the use of a comma and NO space, and it takes the comma as the single literal seperation and if there's a space after the comma, that is seen as the next part and seen as empty or missing.
In other words, some programs see it as "data,data" a space, then the second field is seen as empty, OR, it includes the space as part of the next word.

So now it would appear this is settled at least for me. And having a space, and a space after every comma makes sense, and is more tidy, easier to read. (plus it allows SEPM to wrap when you are looking at a signature that may be quite long)

I have another IPS question, but since this one is settled, and the other is related, but not to commas, I'll place it in its own space.