[Snort-sigs] [Emerging-Sigs] Errors with the Snort manual

Joel Esler jesler at ...435...
Thu Feb 18 15:01:57 EST 2010


Keep it up!  This is the kind of feedback we want!  Doesn't help if our
manual has errors in it.  It's a living document, so it's continually
updated, unlike the Snort books, which are static (and wrong)


J

On Thu, Feb 18, 2010 at 2:58 PM, evilghost at ...3397... <
evilghost at ...3397...> wrote:

> You are absolutely correct, this has been resolved in the 2.8.5.1
> manual.  Evidently I did report it after all (couldn't remember) or it
> was resolved without my reporting.  Thanks Joel.
>
> -evilghost
>
> Joel Esler wrote:
> > Evilghost,
> >
> > I have to go off of the current version of the manual, as we put out
> > corrections and additions to the manual with every version of Snort.
> >
> > I am looking at the 2.8.5.1 version that is currently on Snort.org,
> > the REGEX in 3.5.6 reads:
> > "/ABC.{1}DEF/" and the example is (content:"ABC"; content:"DEF";
> > distance:1;).
> > This is correct.
> >
> > In 3.5.7 it says "This rule constrains the search of EFG to not go
> > past 10 bytes past the ABC match."
> >
> > The example is (content:"ABC"; content:"EFG"; within:10;) -- which is
> > correct.
> >
> > As for there being no "D".  There is nothing mentioned about the letter
> D.
> >
> > J
> >
> > On Thu, Feb 18, 2010 at 2:37 PM, evilghost at ...3397...
> > <mailto:evilghost at ...3397...> <evilghost at ...3397...
> > <mailto:evilghost at ...3397...>> wrote:
> >
> >     Hello,
> >
> >     There was a discussion on ET about some errors in the Snort manual.
>  I
> >     cannot remember if I reported these or not.  The Snort 2.8.4 manual
> >     appears to be inaccurate or wrong in a few places, specifically:
> >
> >     Page #114, section 3.5.6, the REGEX used to explain figure 3.16 is
> >     incorrect.
> >     Page #114, section 3.5.7, the "10 bytes past the ABCDE match"
> verbiage
> >     is incorrect, there is no "D" in figure 3.17 nor is the explanation
> of
> >     figure 3.17 correct.
> >
> >     I did not check 2.8.5 but I assume these may persist there as well.
> >
> >     Thanks
> >     -evilghost
> >
> >     _______________________________________________
> >     Emerging-sigs mailing list
> >     Emerging-sigs at ...3335...
> >     <mailto:Emerging-sigs at ...3335...>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >     Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs
> >     and Lanyards
> >
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> >
> >
> >
> >
> > --
> > Joel Esler
> > 302-223-5974
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>



-- 
Joel Esler
302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100218/82840b7d/attachment.html>


More information about the Snort-sigs mailing list