[Snort-users] Signature Description Oddness

Starner, Mark mark.starner at ...5850...
Thu Feb 6 10:42:51 EST 2014


When I upgraded some of my sensors to 2.9.6.0, I saw some weird stuff in my
Base Signature Table

 

I two different sig_name's for the same signatures (in about 6 case). I'll
detail one instance.

Gid: 142, sid: 6

One Description is: pop: 7bit/8bit/binary/text Extraction failed

The other Description is: pop: Non-Encoded MIME attachment Extraction failed

 

So I looked at the gen-msg.map on the various systems/versions.

2.9.5.5 shipped with:  142 || 6 || pop: Non-Encoded MIME attachment
Extraction failed

2.9.6.0 shipped with:  142 || 6 || pop: Non-Encoded MIME attachment
Extraction failed

 

That's fine, no change between versions.

 

But when I look in the rules tarballs, the following are in those
gen-msg.map files

2.9.5.5 tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed

2.9.6.0 tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed

 

So the tarball is shipping with different descriptions for some of the
preprocessor rules.

 

So which description is correct? I would have thought if the description
was:

pop: Non-Encoded MIME attachment Extraction failed

in 2.9.5.5, and then it changed to:

pop: 7bit/8bit/binary/text Extraction failed

and was therefore changed in the tarball, then shouldn't 2.9.6.0's release
have reflected this change?

 

Or are the files in the tarball never pulled forward to a new release?

 

Just want to make sure I know which description is the right one. I am
guessing the one in the tarball, just need confirmation.

 

Thanks

Mark

 

 


  



Mark Starner  | Global Infrastructure - Systems  |  Unisys IT


Unisys  |  443-921-0355 

 
<file:///C:\Users\starneml\AppData\Roaming\Microsoft\Signatures\Required_Ima
ges\Unisys_Logo.gif> 



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers. 

	

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140206/3559fa41/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9333 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140206/3559fa41/attachment.bin>


More information about the Snort-users mailing list