Snort mailing list archives
Re: Minor corrections to the 2.9.0.2 manual
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 17 Dec 2010 17:56:40 -0500
Should be next week. Check out the most recent blog entry. Blog.snort.org Sent from my iPhone On Dec 17, 2010, at 5:28 PM, <Joshua.Kinard () us-cert gov> wrote:
Hi Ryan, Thanks for the clarification. That makes sense. The PDF not getting regenerated threw me off there. No rush on trying to get these into 2.9.0.2. I'm just trying to help bring the little things like this to the surface so they can be picked up in a future release. The holidays always add to the busy schedules we have. Thanks!, --J -----Original Message----- From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] Sent: Thursday, December 16, 2010 4:12 PM To: Kinard, Joshua A Cc: snort-devel () lists sourceforge net Subject: Re: [Snort-devel] Minor corrections to the 2.9.0.2 manual Hi Josh, Sorry for the delayed response, it's been one of those weeks. First of all, it looks like I didn't re-generate the PDF when we released Snort 2.9.0.2. This has been rectified for the 2.9.0.3 release. The PDF also gets generated as part of the RPM build process, so the PDF included there should match the latex file. Regarding the use of ssl_state, consider the following rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $SSL_PORTS (msg:"SSL client hello OR client key exchange"; ssl_state:client_hello,client_keyx; gid:1; sid:1000000;) This rule would fire on every packet during the "client_hello" and "client_keyx" states. By looking at the alert, you don't know which state actually triggered the rule. Maybe the session never got to the client_keyx state? By splitting the ssl_state options into multiple rules, you can be more specific about which state triggered the rule option. That appears to be the point that the documentation is trying to make. The rest of your changes look good. While it's too late for me to squeeze them into Snort 2.9.0.3, we've created a bug report to get them into the release after that. Thanks, Ryan On Mon, Dec 13, 2010 at 7:46 PM, <Joshua.Kinard () us-cert gov> wrote:Hi snort-devel, Noticed some additional errors in the Snort-2.9.0.2 manual for ssl_state and ssl_version. However, the LaTeX source in the 2.9.0.2 distribution does not match the actual rendered PDF that is included. The PDF's rendering date (06/23/2010) is also mismatched versus 2.9.0.1's copy (10/08/2010). So, I'm uncertain which LaTeX source I should use to diff a patch against. Since they're minor corrections, I'll just list them here instead: snort-2.9.0.2/doc/snort_manual.pdf, page 79, ssl_version block: "To check for two SSL versions in use simultaneously, multiple ssl version rule options should be used." Change to (added "or more", added underscore) "To check for two or more SSL versions in use simultaneously, multiple ssl_version rule options should be used." snort-2.9.0.2/doc/snort_manual.pdf, page 80, ssl_version example: - Remove space after delimiting colon. - Add semi-colon after rule option examples. snort-2.9.0.2/doc/snort_manual.pdf, page 80, ssl_state block: "To ensure the connection is reached each of a set of states, multiple ssl state rule options should be used." Change to (changed "is" to "has", added underscore) "To ensure the connection has reached each of a set of states, multiple ssl_state rule options should be used." snort-2.9.0.2/doc/snort_manual.pdf, page 80, ssl_state example: - Remove space after delimiting colon. - Add semi-colon after rule option examples. Of note, the LaTeX source for the 2.9.0.2 manual, for ssl_state's description, states the following (instead of the original sentence corrected above): "To ensure the connection has reached each of a set of states, multiple rules using the ssl_state rule option should be used." This conflicts with the rendered PDF, which says to use multiple rule options, NOT multiple rules. The CVS copy reflects the LaTeX source, so I'm uncertain of which is the correct usage of this option. Multiple rules, each with a maximum of ONE ssl_state rule option, or a single rule with MULTIPLE ssl_state options? Thanks, --J ---------------------------------------------------------------------- -------- Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Minor corrections to the 2.9.0.2 manual Joshua.Kinard (Dec 13)
- Re: Minor corrections to the 2.9.0.2 manual Ryan Jordan (Dec 16)
- Re: Minor corrections to the 2.9.0.2 manual Joshua.Kinard (Dec 17)
- Re: Minor corrections to the 2.9.0.2 manual Joel Esler (Dec 17)
- Re: Minor corrections to the 2.9.0.2 manual Joshua.Kinard (Dec 17)
- Re: Minor corrections to the 2.9.0.2 manual Ryan Jordan (Dec 16)