Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified

[Joel Esler <jesler () sourcefire com>]

I've bugged this for fix.  Thanks Eoin.

Joel

On Dec 17, 2010, at 1:30 PM, Eoin Miller wrote:

> On 12/17/2010 6:01 PM, JS wrote:
> > Eoin/Kevin,
> >
> > Thanks I think I finally got it resolved. Turns out, I updated all my files with 
> > the 2.9.0.1 ruleset as described in my first post. The gen-msg.map that comes 
> > with 2.9.0.2 does indeed have the missing stream5 entries! The gen-msg.map that 
> > comes with 2.9.0.1 does NOT.
> >
> > Ugh, guess I now know you only upgrade your rules with matching versions. I did 
> > not think it would be that big of a deal to use 2.9.0.1 rules with a 2.9.0.2 
> > snort install.
> >
> > Thanks.
>
> Hmm, looks like there is missing stuff in the VRT rules versus the
> Source stuff:
>
>
> gen-msg.map for 2.9.0.1 from SOURCE:
> ========================================================================
> $ grep "129 ||" snort-2.9.0.1/etc/gen-msg.map
> 129 || 1 || stream5: SYN on established session
> 129 || 2 || stream5: Data on SYN packet
> 129 || 3 || stream5: Data sent on stream not accepting data
> 129 || 4 || stream5: TCP Timestamp is outside of PAWS window
> 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
> 129 || 6 || stream5: Window size (after scaling) larger than policy allows
> 129 || 7 || stream5: Limit on number of overlapping TCP packets reached
> 129 || 8 || stream5: Data sent on stream after TCP Reset
> 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet
> Address
> 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet
> Address
> 129 || 11 || stream5: TCP Data with no TCP Flags set
> 129 || 12 || stream5: TCP Small Segment Threshold Exceeded
> 129 || 13 || stream5: TCP 4-way handshake detected
> 129 || 14 || stream5: TCP Timestamp is missing
> 129 || 15 || stream5: Reset outside window
> 129 || 16 || stream5: FIN number is greater than prior FIN
> 129 || 17 || stream5: ACK number is greater than prior FIN
> 129 || 18 || stream5: Data sent on stream after TCP Reset received
> 129 || 19 || stream5: TCP window closed before receiving data
>
>
> gen-msg.map for 2.9.0.1 from VRT (just pulled about 10 min ago):
> ========================================================================
> 128 || 7 || ssh: Failed to detect SSH version string
> 129 || 1 || stream5: SYN on established session
> 129 || 2 || stream5: Data on SYN packet
> 129 || 3 || stream5: Data sent on stream not accepting data
> 129 || 4 || stream5: TCP Timestamp is outside of PAWS window
> 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
> 129 || 6 || stream5: Window size (after scaling) larger than policy allows
> 129 || 7 || stream5: Limit on number of overlapping TCP packets reached
> 129 || 8 || stream5: Data sent on stream after TCP Reset
> 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet
> Address
> 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet
> Address
> 129 || 11 || stream5: TCP Data with no TCP Flags set
> 129 || 12 || stream5: TCP Small Segment Threshold Exceeded
> 129 || 13 || stream5: TCP 4-way handshake detected
> 129 || 14 || stream5: TCP Timestamp is missing
> 130 || 1 || dcerpc: Maximum memory usage reached
>
> I guess Matt W is the best one to to alert about this (cc'd on this email)?
>
> -- Eoin


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users