[Snort-users] Signature Description Oddness

Joel Esler (jesler) jesler at ...589...
Thu Feb 6 18:36:40 EST 2014


Looks like we are pulling a file from a different place.  (Not saying it’s right or wrong, we’ll figure that out)

Thanks for bringing that to our attention.


On Feb 6, 2014, at 10:42 AM, Starner, Mark <mark.starner at ...5850...<mailto:mark.starner at ...5850...>> wrote:

When I upgraded some of my sensors to 2.9.6.0, I saw some weird stuff in my Base Signature Table

I two different sig_name’s for the same signatures (in about 6 case). I’ll detail one instance.
Gid: 142, sid: 6
One Description is: pop: 7bit/8bit/binary/text Extraction failed
The other Description is: pop: Non-Encoded MIME attachment Extraction failed

So I looked at the gen-msg.map on the various systems/versions.
2.9.5.5 shipped with:  142 || 6 || pop: Non-Encoded MIME attachment Extraction failed
2.9.6.0 shipped with:  142 || 6 || pop: Non-Encoded MIME attachment Extraction failed

That’s fine, no change between versions.

But when I look in the rules tarballs, the following are in those gen-msg.map files
2.9.5.5 tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed
2.9.6.0 tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed

So the tarball is shipping with different descriptions for some of the preprocessor rules.

So which description is correct? I would have thought if the description was:
pop: Non-Encoded MIME attachment Extraction failed
in 2.9.5.5, and then it changed to:
pop: 7bit/8bit/binary/text Extraction failed
and was therefore changed in the tarball, then shouldn’t 2.9.6.0’s release have reflected this change?

Or are the files in the tarball never pulled forward to a new release?

Just want to make sure I know which description is the right one… I am guessing the one in the tarball, just need confirmation.

Thanks
Mark




Mark Starner  | Global Infrastructure - Systems  |  Unisys IT

Unisys  |  443-921-0355


[X]


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.



------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140206/4cff5ce3/attachment.html>


More information about the Snort-users mailing list