Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified

[Russ Combs <rcombs () sourcefire com>]

Glad you got it working.

We have a bug to get the preprocessor rules documented properly.

On Fri, Dec 17, 2010 at 1:01 PM, JS <jspudz () yahoo com> wrote:

> Eoin/Kevin,
>
> Thanks I think I finally got it resolved. Turns out, I updated all my files
> with the 2.9.0.1 ruleset as described in my first post. The gen-msg.map that
> comes with 2.9.0.2 does indeed have the missing stream5 entries! The
> gen-msg.map that comes with 2.9.0.1 does NOT.
>
> Ugh, guess I now know you only upgrade your rules with matching versions. I
> did not think it would be that big of a deal to use 2.9.0.1 rules with a
> 2.9.0.2 snort install.
>
> Thanks.
>
>
> ------------------------------
> *From:* Eoin Miller <eoin.miller () trojanedbinaries com>
> *To:* snort-users () lists sourceforge net
> *Sent:* Fri, December 17, 2010 9:42:50 AM
>
> *Subject:* Re: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5
> signature not displayed and is unclassified
>
> On 12/17/2010 5:31 PM, JS wrote:
> > Kevin thanks for the info. I reviewed my setup and my startup script for
> > barnyard2 and its barnyard.conf both point to the gen-msg.map and
> sid-msg.map
> > files in the /etc/snort directory. Those files were updated when I
> updated with
> > the snort 2.9.0.1 ruleset.
> >
> > This is uber confusing as I have been reading the "README" for stream5
> from
> > snort 2.9.0.2 and it only lists SID's for stream5 (generatorid 129) that
> go up
> > to number 14. Yet somehow my snort install (version 2.9.0.2) is throwing
> a SID
> > of 15???
> >
> >
> > As far as I can see this event sid (129-15) does not even exist in snort
> 2.9.0.2
> > according to the readme. Any thoughts on this?
>
> Um...?
>
> $ grep "129 ||" snort-2.9.0.1/etc/gen-msg.map
>
> 129 || 1 || stream5: SYN on established session
> 129 || 2 || stream5: Data on SYN packet
> 129 || 3 || stream5: Data sent on stream not accepting data
> 129 || 4 || stream5: TCP Timestamp is outside of PAWS window
> 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
> 129 || 6 || stream5: Window size (after scaling) larger than policy allows
> 129 || 7 || stream5: Limit on number of overlapping TCP packets reached
> 129 || 8 || stream5: Data sent on stream after TCP Reset
> 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet
> Address
> 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet
> Address
> 129 || 11 || stream5: TCP Data with no TCP Flags set
> 129 || 12 || stream5: TCP Small Segment Threshold Exceeded
> 129 || 13 || stream5: TCP 4-way handshake detected
> 129 || 14 || stream5: TCP Timestamp is missing
> 129 || 15 || stream5: Reset outside window
> 129 || 16 || stream5: FIN number is greater than prior FIN
> 129 || 17 || stream5: ACK number is greater than prior FIN
> 129 || 18 || stream5: Data sent on stream after TCP Reset received
> 129 || 19 || stream5: TCP window closed before receiving data
>
> -- Eoin
>
>
> ------------------------------------------------------------------------------
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
> http://p.sf.net/sfu/lotusphere-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ------------------------------------------------------------------------------
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
> http://p.sf.net/sfu/lotusphere-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users