[Snort-users] Signature Description Oddness

Joel Esler (jesler) jesler at ...589...
Thu Feb 6 18:36:40 EST 2014

Looks like we are pulling a file from a different place.  (Not saying it’s right or wrong, we’ll figure that out)

Thanks for bringing that to our attention.

On Feb 6, 2014, at 10:42 AM, Starner, Mark <mark.starner at ...5850...<mailto:mark.starner at ...5850...>> wrote:

When I upgraded some of my sensors to, I saw some weird stuff in my Base Signature Table

I two different sig_name’s for the same signatures (in about 6 case). I’ll detail one instance.
Gid: 142, sid: 6
One Description is: pop: 7bit/8bit/binary/text Extraction failed
The other Description is: pop: Non-Encoded MIME attachment Extraction failed

So I looked at the gen-msg.map on the various systems/versions. shipped with:  142 || 6 || pop: Non-Encoded MIME attachment Extraction failed shipped with:  142 || 6 || pop: Non-Encoded MIME attachment Extraction failed

That’s fine, no change between versions.

But when I look in the rules tarballs, the following are in those gen-msg.map files tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed

So the tarball is shipping with different descriptions for some of the preprocessor rules.

So which description is correct? I would have thought if the description was:
pop: Non-Encoded MIME attachment Extraction failed
in, and then it changed to:
pop: 7bit/8bit/binary/text Extraction failed
and was therefore changed in the tarball, then shouldn’t’s release have reflected this change?

Or are the files in the tarball never pulled forward to a new release?

Just want to make sure I know which description is the right one… I am guessing the one in the tarball, just need confirmation.


Mark Starner  | Global Infrastructure - Systems  |  Unisys IT

Unisys  |  443-921-0355


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140206/4cff5ce3/attachment.html>

More information about the Snort-users mailing list