Snort mailing list archives
Re: wrong version of gen-msg.map on labs?
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 18 Jul 2014 15:29:54 +0000
On Jul 17, 2014, at 10:49 PM, Gregory S Thomas <greg.thomas () pnnl gov<mailto:greg.thomas () pnnl gov>> wrote: The version of gen-msg.map in the source tarballs is the same in 2.9.6.0, 2.9.6.1, and 2.9.6.2. The version of gen-msg.map on labs is the same in 2.9.6.0 (http://labs.snort.org/snort/2960/gen-msg.map) and 2.9.6.1 (http://labs.snort.org/snort/2961/gen-msg.map); there is no 2.9.6.2 (http://labs.snort.org/snort/2962/) on labs yet. This has been corrected. The correct 2.9.6.2 files have been uploaded. The differences between the source and labs versions are as follows: shell> diff snort-2.9.6.1/etc/gen-msg.map labs2961/gen-msg.map 1c1 < # $Id$ --- # $Id: gen-msg.map,v 1.131 2014/03/14 17:09:18 eborgoyn Exp $ 281a282,287 120 || 12 || http_inspect: SWF FILE ZLIB DECOMPRESSION FAILURE 120 || 13 || http_inspect: SWF FILE LZMA DECOMPRESSION FAILURE 120 || 14 || http_inspect: PDF FILE DEFLATE DECOMPRESSION FAILURE 120 || 15 || http_inspect: PDF FILE UNSUPPORTED COMPRESSION TYPES 120 || 16 || http_inspect: PDF FILE CASCADED COMPRESSION 120 || 17 || http_inspect: PDF FILE PARSE FAILURE However, the source code does not appear to support any of the 6 alerts added in the gen-msg.map on labs; definitions for other alerts from generator ID 120 reside in src/preprocessors/HttpInspect/include/hi_eo_events.h. Does gen-msg.map on labs need to be replaced with a correct version? This is a 2.9.7.0 feature. (SWF and PDF decompression). Sorry about that. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- wrong version of gen-msg.map on labs? Gregory S Thomas (Jul 17)
- Re: wrong version of gen-msg.map on labs? Joel Esler (jesler) (Jul 17)
- Re: wrong version of gen-msg.map on labs? Joel Esler (jesler) (Jul 18)
- Re: wrong version of gen-msg.map on labs? Gregory S Thomas (Jul 18)