Re: [Emerging-Sigs] Errors with the Snort manual

[Joel Esler <jesler () sourcefire com>]

Keep it up!  This is the kind of feedback we want!  Doesn't help if our
manual has errors in it.  It's a living document, so it's continually
updated, unlike the Snort books, which are static (and wrong)


J

On Thu, Feb 18, 2010 at 2:58 PM, evilghost () packetmail net <
evilghost () packetmail net> wrote:

> You are absolutely correct, this has been resolved in the 2.8.5.1
> manual.  Evidently I did report it after all (couldn't remember) or it
> was resolved without my reporting.  Thanks Joel.
>
> -evilghost
>
> Joel Esler wrote:
> > Evilghost,
> >
> > I have to go off of the current version of the manual, as we put out
> > corrections and additions to the manual with every version of Snort.
> >
> > I am looking at the 2.8.5.1 version that is currently on Snort.org,
> > the REGEX in 3.5.6 reads:
> > "/ABC.{1}DEF/" and the example is (content:"ABC"; content:"DEF";
> > distance:1;).
> > This is correct.
> >
> > In 3.5.7 it says "This rule constrains the search of EFG to not go
> > past 10 bytes past the ABC match."
> >
> > The example is (content:"ABC"; content:"EFG"; within:10;) -- which is
> > correct.
> >
> > As for there being no "D".  There is nothing mentioned about the letter
> D.
> > J
> >
> > On Thu, Feb 18, 2010 at 2:37 PM, evilghost () packetmail net
> > <mailto:evilghost () packetmail net> <evilghost () packetmail net
> > <mailto:evilghost () packetmail net>> wrote:
> >
> >     Hello,
> >
> >     There was a discussion on ET about some errors in the Snort manual.
>  I
> >     cannot remember if I reported these or not.  The Snort 2.8.4 manual
> >     appears to be inaccurate or wrong in a few places, specifically:
> >
> >     Page #114, section 3.5.6, the REGEX used to explain figure 3.16 is
> >     incorrect.
> >     Page #114, section 3.5.7, the "10 bytes past the ABCDE match"
> verbiage
> >     is incorrect, there is no "D" in figure 3.17 nor is the explanation
> of
> >     figure 3.17 correct.
> >
> >     I did not check 2.8.5 but I assume these may persist there as well.
> >
> >     Thanks
> >     -evilghost
> >
> >     _______________________________________________
> >     Emerging-sigs mailing list
> >     Emerging-sigs () emergingthreats net
> >     <mailto:Emerging-sigs () emergingthreats net>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >     Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs
> >     and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> > --
> > Joel Esler
> > 302-223-5974
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html



-- 
Joel Esler
302-223-5974

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs