gen-msg.map duplicate entries

[Eric Olsen <ericjolsen () gmail com>]

I'm noticing that in the gen-msg.map file included with the
snort-2.9.1.1 source there are duplicate entries for GID 124 SMTP
preprocessor rules.  Correct me if I'm wrong here.

In the gen-msg.map file the entries for GID 124 are as follows:

124 || 1 || smtp: Attempted command buffer overflow
124 || 2 || smtp: Attempted data header buffer overflow
124 || 3 || smtp: Attempted response buffer overflow
124 || 4 || smtp: Attempted specific command buffer overflow
124 || 5 || smtp: Unknown command
124 || 6 || smtp: Illegal command
124 || 7 || smtp: Attempted header name buffer overflow
124 || 8 || smtp: Attempted X-Link2State command buffer overflow
124 || 3 || smtp: No memory available for decoding. Max Mime Mem exceeded.
124 || 4 || smtp: Base64 Decoding failed
124 || 5 || smtp: Quoted-Printable Decoding failed
124 || 6 || smtp: 7bit/8bit/binary/text Extraction failed

Notice the duplicate entries for SID 3,4,5, and 6.

In smtp_log.h the GID-SID's are defined as follows:

/* Events for SMTP */
#define SMTP_COMMAND_OVERFLOW       1
#define SMTP_DATA_HDR_OVERFLOW      2
#define SMTP_RESPONSE_OVERFLOW      3
#define SMTP_SPECIFIC_CMD_OVERFLOW  4
#define SMTP_UNKNOWN_CMD            5
#define SMTP_ILLEGAL_CMD            6
#define SMTP_HEADER_NAME_OVERFLOW   7
#define SMTP_XLINK2STATE_OVERFLOW   8
#define SMTP_DECODE_MEMCAP_EXCEEDED 9
#define SMTP_B64_DECODING_FAILED    10
#define SMTP_QP_DECODING_FAILED     11
#define SMTP_BITENC_DECODING_FAILED 12
#define SMTP_UU_DECODING_FAILED     13

The correct entries for gen-msg.map should be:

124 || 1 || smtp: Attempted command buffer overflow
124 || 2 || smtp: Attempted data header buffer overflow
124 || 3 || smtp: Attempted response buffer overflow
124 || 4 || smtp: Attempted specific command buffer overflow
124 || 5 || smtp: Unknown command
124 || 6 || smtp: Illegal command
124 || 7 || smtp: Attempted header name buffer overflow
124 || 8 || smtp: Attempted X-Link2State command buffer overflow
124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded.
124 || 10 || smtp: Base64 Decoding failed
124 || 11 || smtp: Quoted-Printable Decoding failed
124 || 12 || smtp: 7bit/8bit/binary/text Extraction failed
124 || 13 || smtp: Unix-to-Unix Decoding failed

Thanks,

Eric Olsen
ericjolsen () gmail com

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!