Snort mailing list archives
Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 17 Dec 2010 14:06:20 -0500
I've bugged this for fix. Thanks Eoin. Joel On Dec 17, 2010, at 1:30 PM, Eoin Miller wrote:
On 12/17/2010 6:01 PM, JS wrote:Eoin/Kevin, Thanks I think I finally got it resolved. Turns out, I updated all my files with the 2.9.0.1 ruleset as described in my first post. The gen-msg.map that comes with 2.9.0.2 does indeed have the missing stream5 entries! The gen-msg.map that comes with 2.9.0.1 does NOT. Ugh, guess I now know you only upgrade your rules with matching versions. I did not think it would be that big of a deal to use 2.9.0.1 rules with a 2.9.0.2 snort install. Thanks.Hmm, looks like there is missing stuff in the VRT rules versus the Source stuff: gen-msg.map for 2.9.0.1 from SOURCE: ======================================================================== $ grep "129 ||" snort-2.9.0.1/etc/gen-msg.map 129 || 1 || stream5: SYN on established session 129 || 2 || stream5: Data on SYN packet 129 || 3 || stream5: Data sent on stream not accepting data 129 || 4 || stream5: TCP Timestamp is outside of PAWS window 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 129 || 6 || stream5: Window size (after scaling) larger than policy allows 129 || 7 || stream5: Limit on number of overlapping TCP packets reached 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing 129 || 15 || stream5: Reset outside window 129 || 16 || stream5: FIN number is greater than prior FIN 129 || 17 || stream5: ACK number is greater than prior FIN 129 || 18 || stream5: Data sent on stream after TCP Reset received 129 || 19 || stream5: TCP window closed before receiving data gen-msg.map for 2.9.0.1 from VRT (just pulled about 10 min ago): ======================================================================== 128 || 7 || ssh: Failed to detect SSH version string 129 || 1 || stream5: SYN on established session 129 || 2 || stream5: Data on SYN packet 129 || 3 || stream5: Data sent on stream not accepting data 129 || 4 || stream5: TCP Timestamp is outside of PAWS window 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 129 || 6 || stream5: Window size (after scaling) larger than policy allows 129 || 7 || stream5: Limit on number of overlapping TCP packets reached 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing 130 || 1 || dcerpc: Maximum memory usage reached I guess Matt W is the best one to to alert about this (cc'd on this email)? -- Eoin
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Kevin Ross (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Kevin Ross (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Randal T. Rioux (Dec 19)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 21)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Joel Esler (Dec 21)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 25)