Snort mailing list archives
Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 17 Dec 2010 13:42:55 -0500
As Russ said, sending issues to us should all go to bugs () snort org. All the right people are on that distribution list and we'll be able to file bugs and triage accordingly. Sent from my iPhone On Dec 17, 2010, at 1:30 PM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:
On 12/17/2010 6:01 PM, JS wrote:Eoin/Kevin, Thanks I think I finally got it resolved. Turns out, I updated all my files with the 2.9.0.1 ruleset as described in my first post. The gen-msg.map that comes with 2.9.0.2 does indeed have the missing stream5 entries! The gen-msg.map that comes with 2.9.0.1 does NOT. Ugh, guess I now know you only upgrade your rules with matching versions. I did not think it would be that big of a deal to use 2.9.0.1 rules with a 2.9.0.2 snort install. Thanks.Hmm, looks like there is missing stuff in the VRT rules versus the Source stuff: gen-msg.map for 2.9.0.1 from SOURCE: ======================================================================== $ grep "129 ||" snort-2.9.0.1/etc/gen-msg.map 129 || 1 || stream5: SYN on established session 129 || 2 || stream5: Data on SYN packet 129 || 3 || stream5: Data sent on stream not accepting data 129 || 4 || stream5: TCP Timestamp is outside of PAWS window 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 129 || 6 || stream5: Window size (after scaling) larger than policy allows 129 || 7 || stream5: Limit on number of overlapping TCP packets reached 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing 129 || 15 || stream5: Reset outside window 129 || 16 || stream5: FIN number is greater than prior FIN 129 || 17 || stream5: ACK number is greater than prior FIN 129 || 18 || stream5: Data sent on stream after TCP Reset received 129 || 19 || stream5: TCP window closed before receiving data gen-msg.map for 2.9.0.1 from VRT (just pulled about 10 min ago): ======================================================================== 128 || 7 || ssh: Failed to detect SSH version string 129 || 1 || stream5: SYN on established session 129 || 2 || stream5: Data on SYN packet 129 || 3 || stream5: Data sent on stream not accepting data 129 || 4 || stream5: TCP Timestamp is outside of PAWS window 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 129 || 6 || stream5: Window size (after scaling) larger than policy allows 129 || 7 || stream5: Limit on number of overlapping TCP packets reached 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing 130 || 1 || dcerpc: Maximum memory usage reached I guess Matt W is the best one to to alert about this (cc'd on this email)? -- Eoin
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Kevin Ross (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Kevin Ross (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Randal T. Rioux (Dec 19)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 21)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Joel Esler (Dec 21)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 25)