Snort mailing list archives
Re: Signature Description Oddness
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 7 Feb 2014 21:45:33 +0000
Mark, Thanks for bringing this to our attention. Future rule builds will not have the gen-msg.map in the pack. Since it only changes when a Snort version would change, we’ll keep it current on the website and in the Snort tarball. -- Joel Esler Threat Intelligence Team Lead Open Source Manager Vulnerability Research Team On Feb 6, 2014, at 6:36 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: Looks like we are pulling a file from a different place. (Not saying it’s right or wrong, we’ll figure that out) Thanks for bringing that to our attention. On Feb 6, 2014, at 10:42 AM, Starner, Mark <mark.starner () unisys com<mailto:mark.starner () unisys com>> wrote: When I upgraded some of my sensors to 2.9.6.0, I saw some weird stuff in my Base Signature Table I two different sig_name’s for the same signatures (in about 6 case). I’ll detail one instance. Gid: 142, sid: 6 One Description is: pop: 7bit/8bit/binary/text Extraction failed The other Description is: pop: Non-Encoded MIME attachment Extraction failed So I looked at the gen-msg.map on the various systems/versions. 2.9.5.5 shipped with: 142 || 6 || pop: Non-Encoded MIME attachment Extraction failed 2.9.6.0 shipped with: 142 || 6 || pop: Non-Encoded MIME attachment Extraction failed That’s fine, no change between versions. But when I look in the rules tarballs, the following are in those gen-msg.map files 2.9.5.5 tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed 2.9.6.0 tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed So the tarball is shipping with different descriptions for some of the preprocessor rules. So which description is correct? I would have thought if the description was: pop: Non-Encoded MIME attachment Extraction failed in 2.9.5.5, and then it changed to: pop: 7bit/8bit/binary/text Extraction failed and was therefore changed in the tarball, then shouldn’t 2.9.6.0’s release have reflected this change? Or are the files in the tarball never pulled forward to a new release? Just want to make sure I know which description is the right one… I am guessing the one in the tarball, just need confirmation. Thanks Mark Mark Starner | Global Infrastructure - Systems | Unisys IT Unisys | 443-921-0355 [X] THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Signature Description Oddness Starner, Mark (Feb 06)
- Re: Signature Description Oddness Joel Esler (jesler) (Feb 06)
- Re: Signature Description Oddness Joel Esler (jesler) (Feb 07)
- Re: Signature Description Oddness Joel Esler (jesler) (Feb 06)