Snort mailing list archives
Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 17 Dec 2010 13:21:55 -0500
Glad you got it working. We have a bug to get the preprocessor rules documented properly. On Fri, Dec 17, 2010 at 1:01 PM, JS <jspudz () yahoo com> wrote:
Eoin/Kevin, Thanks I think I finally got it resolved. Turns out, I updated all my files with the 2.9.0.1 ruleset as described in my first post. The gen-msg.map that comes with 2.9.0.2 does indeed have the missing stream5 entries! The gen-msg.map that comes with 2.9.0.1 does NOT. Ugh, guess I now know you only upgrade your rules with matching versions. I did not think it would be that big of a deal to use 2.9.0.1 rules with a 2.9.0.2 snort install. Thanks. ------------------------------ *From:* Eoin Miller <eoin.miller () trojanedbinaries com> *To:* snort-users () lists sourceforge net *Sent:* Fri, December 17, 2010 9:42:50 AM *Subject:* Re: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified On 12/17/2010 5:31 PM, JS wrote:Kevin thanks for the info. I reviewed my setup and my startup script for barnyard2 and its barnyard.conf both point to the gen-msg.map andsid-msg.mapfiles in the /etc/snort directory. Those files were updated when Iupdated withthe snort 2.9.0.1 ruleset. This is uber confusing as I have been reading the "README" for stream5fromsnort 2.9.0.2 and it only lists SID's for stream5 (generatorid 129) thatgo upto number 14. Yet somehow my snort install (version 2.9.0.2) is throwinga SIDof 15??? As far as I can see this event sid (129-15) does not even exist in snort2.9.0.2according to the readme. Any thoughts on this?Um...? $ grep "129 ||" snort-2.9.0.1/etc/gen-msg.map 129 || 1 || stream5: SYN on established session 129 || 2 || stream5: Data on SYN packet 129 || 3 || stream5: Data sent on stream not accepting data 129 || 4 || stream5: TCP Timestamp is outside of PAWS window 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 129 || 6 || stream5: Window size (after scaling) larger than policy allows 129 || 7 || stream5: Limit on number of overlapping TCP packets reached 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing 129 || 15 || stream5: Reset outside window 129 || 16 || stream5: FIN number is greater than prior FIN 129 || 17 || stream5: ACK number is greater than prior FIN 129 || 18 || stream5: Data sent on stream after TCP Reset received 129 || 19 || stream5: TCP window closed before receiving data -- Eoin ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Kevin Ross (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Kevin Ross (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Randal T. Rioux (Dec 19)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 21)