Snort mailing list archives
gen-msg.map duplicate entries
From: Eric Olsen <ericjolsen () gmail com>
Date: Fri, 7 Oct 2011 10:13:55 -0500
I'm noticing that in the gen-msg.map file included with the snort-2.9.1.1 source there are duplicate entries for GID 124 SMTP preprocessor rules. Correct me if I'm wrong here. In the gen-msg.map file the entries for GID 124 are as follows: 124 || 1 || smtp: Attempted command buffer overflow 124 || 2 || smtp: Attempted data header buffer overflow 124 || 3 || smtp: Attempted response buffer overflow 124 || 4 || smtp: Attempted specific command buffer overflow 124 || 5 || smtp: Unknown command 124 || 6 || smtp: Illegal command 124 || 7 || smtp: Attempted header name buffer overflow 124 || 8 || smtp: Attempted X-Link2State command buffer overflow 124 || 3 || smtp: No memory available for decoding. Max Mime Mem exceeded. 124 || 4 || smtp: Base64 Decoding failed 124 || 5 || smtp: Quoted-Printable Decoding failed 124 || 6 || smtp: 7bit/8bit/binary/text Extraction failed Notice the duplicate entries for SID 3,4,5, and 6. In smtp_log.h the GID-SID's are defined as follows: /* Events for SMTP */ #define SMTP_COMMAND_OVERFLOW 1 #define SMTP_DATA_HDR_OVERFLOW 2 #define SMTP_RESPONSE_OVERFLOW 3 #define SMTP_SPECIFIC_CMD_OVERFLOW 4 #define SMTP_UNKNOWN_CMD 5 #define SMTP_ILLEGAL_CMD 6 #define SMTP_HEADER_NAME_OVERFLOW 7 #define SMTP_XLINK2STATE_OVERFLOW 8 #define SMTP_DECODE_MEMCAP_EXCEEDED 9 #define SMTP_B64_DECODING_FAILED 10 #define SMTP_QP_DECODING_FAILED 11 #define SMTP_BITENC_DECODING_FAILED 12 #define SMTP_UU_DECODING_FAILED 13 The correct entries for gen-msg.map should be: 124 || 1 || smtp: Attempted command buffer overflow 124 || 2 || smtp: Attempted data header buffer overflow 124 || 3 || smtp: Attempted response buffer overflow 124 || 4 || smtp: Attempted specific command buffer overflow 124 || 5 || smtp: Unknown command 124 || 6 || smtp: Illegal command 124 || 7 || smtp: Attempted header name buffer overflow 124 || 8 || smtp: Attempted X-Link2State command buffer overflow 124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded. 124 || 10 || smtp: Base64 Decoding failed 124 || 11 || smtp: Quoted-Printable Decoding failed 124 || 12 || smtp: 7bit/8bit/binary/text Extraction failed 124 || 13 || smtp: Unix-to-Unix Decoding failed Thanks, Eric Olsen ericjolsen () gmail com ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- gen-msg.map duplicate entries Eric Olsen (Oct 07)
- Re: gen-msg.map duplicate entries Ryan Jordan (Oct 07)