Snort mailing list archives

Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 17 Dec 2010 13:42:55 -0500

As Russ said, sending issues to us should all go to bugs () snort org.  

All the right people are on that distribution list and we'll be able to file bugs and triage accordingly.  


Sent from my iPhone

On Dec 17, 2010, at 1:30 PM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:

On 12/17/2010 6:01 PM, JS wrote:

Eoin/Kevin,

Thanks I think I finally got it resolved. Turns out, I updated all my files with 
the 2.9.0.1 ruleset as described in my first post. The gen-msg.map that comes 
with 2.9.0.2 does indeed have the missing stream5 entries! The gen-msg.map that 
comes with 2.9.0.1 does NOT.

Ugh, guess I now know you only upgrade your rules with matching versions. I did 
not think it would be that big of a deal to use 2.9.0.1 rules with a 2.9.0.2 
snort install.

Thanks.


Hmm, looks like there is missing stuff in the VRT rules versus the
Source stuff:


gen-msg.map for 2.9.0.1 from SOURCE:
========================================================================
$ grep "129 ||" snort-2.9.0.1/etc/gen-msg.map
129 || 1 || stream5: SYN on established session
129 || 2 || stream5: Data on SYN packet
129 || 3 || stream5: Data sent on stream not accepting data
129 || 4 || stream5: TCP Timestamp is outside of PAWS window
129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
129 || 6 || stream5: Window size (after scaling) larger than policy allows
129 || 7 || stream5: Limit on number of overlapping TCP packets reached
129 || 8 || stream5: Data sent on stream after TCP Reset
129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet
Address
129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet
Address
129 || 11 || stream5: TCP Data with no TCP Flags set
129 || 12 || stream5: TCP Small Segment Threshold Exceeded
129 || 13 || stream5: TCP 4-way handshake detected
129 || 14 || stream5: TCP Timestamp is missing
129 || 15 || stream5: Reset outside window
129 || 16 || stream5: FIN number is greater than prior FIN
129 || 17 || stream5: ACK number is greater than prior FIN
129 || 18 || stream5: Data sent on stream after TCP Reset received
129 || 19 || stream5: TCP window closed before receiving data


gen-msg.map for 2.9.0.1 from VRT (just pulled about 10 min ago):
========================================================================
128 || 7 || ssh: Failed to detect SSH version string
129 || 1 || stream5: SYN on established session
129 || 2 || stream5: Data on SYN packet
129 || 3 || stream5: Data sent on stream not accepting data
129 || 4 || stream5: TCP Timestamp is outside of PAWS window
129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
129 || 6 || stream5: Window size (after scaling) larger than policy allows
129 || 7 || stream5: Limit on number of overlapping TCP packets reached
129 || 8 || stream5: Data sent on stream after TCP Reset
129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet
Address
129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet
Address
129 || 11 || stream5: TCP Data with no TCP Flags set
129 || 12 || stream5: TCP Small Segment Threshold Exceeded
129 || 13 || stream5: TCP 4-way handshake detected
129 || 14 || stream5: TCP Timestamp is missing
130 || 1 || dcerpc: Maximum memory usage reached

I guess Matt W is the best one to to alert about this (cc'd on this email)?

-- Eoin


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Kevin Ross (Dec 17)
  - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 19)
  - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Randal T. Rioux (Dec 19)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 20)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 20)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jefferson, Shawn (Dec 21)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Joel Esler (Dec 21)
    - Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassifiede Jun Wan (Dec 25)