Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Fri, 17 Dec 2010 17:42:50 +0000
On 12/17/2010 5:31 PM, JS wrote:

Kevin thanks for the info. I reviewed my setup and my startup script for 
barnyard2 and its barnyard.conf both point to the gen-msg.map and sid-msg.map 
files in the /etc/snort directory. Those files were updated when I updated with 
the snort 2.9.0.1 ruleset.

This is uber confusing as I have been reading the "README" for stream5 from 
snort 2.9.0.2 and it only lists SID's for stream5 (generatorid 129) that go up 
to number 14. Yet somehow my snort install (version 2.9.0.2) is throwing a SID 
of 15??? 


As far as I can see this event sid (129-15) does not even exist in snort 2.9.0.2 
according to the readme. Any thoughts on this?






Um...?

$ grep "129 ||" snort-2.9.0.1/etc/gen-msg.map

129 || 1 || stream5: SYN on established session
129 || 2 || stream5: Data on SYN packet
129 || 3 || stream5: Data sent on stream not accepting data
129 || 4 || stream5: TCP Timestamp is outside of PAWS window
129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
129 || 6 || stream5: Window size (after scaling) larger than policy allows
129 || 7 || stream5: Limit on number of overlapping TCP packets reached
129 || 8 || stream5: Data sent on stream after TCP Reset
129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet
Address
129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet
Address
129 || 11 || stream5: TCP Data with no TCP Flags set
129 || 12 || stream5: TCP Small Segment Threshold Exceeded
129 || 13 || stream5: TCP 4-way handshake detected
129 || 14 || stream5: TCP Timestamp is missing
129 || 15 || stream5: Reset outside window
129 || 16 || stream5: FIN number is greater than prior FIN
129 || 17 || stream5: ACK number is greater than prior FIN
129 || 18 || stream5: Data sent on stream after TCP Reset received
129 || 19 || stream5: TCP window closed before receiving data

-- Eoin

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: