Snort mailing list archives
Re: wrong version of gen-msg.map on labs?
From: Gregory S Thomas <greg.thomas () pnnl gov>
Date: Fri, 18 Jul 2014 17:58:30 -0700
I think that the new http://labs.snort.org/snort/2962/gen-msg.map is still not correct for 2.9.6.2 because it still has the same 6 alerts (120.12 - 120.17) not supported by 2.9.6 and it adds 2 more (137.3 and 137.4): shell> diff gen-msg.map.2961 gen-msg.map.2962 1c1 < # $Id: gen-msg.map,v 1.131 2014/03/14 17:09:18 eborgoyn Exp $ ---
# $Id: gen-msg.map,v 1.132 2014/07/07 16:33:33 bbantwal Exp $
455a456,457
137 || 3 || spp_ssl: Heartbeat Read Overrun Attempt Detected 137 || 4 || spp_ssl: Large Heartbeat Response Detected
Definitions for other alerts from generator ID 137 reside in src/dynamic-preprocessors/ssl/spp_ssl.h. Shouldn'thttp://labs.snort.org/snort/2962/gen-msg.map match the source code for2.9.6.2? Thanks, Greg Thomas -----Original Message----- Subject: Re: [Snort-devel] wrong version of gen-msg.map on labs? Date: Fri, 18 Jul 2014 15:29:54 +0000 From: Joel Esler (jesler) <jesler () cisco com> To: Gregory S Thomas <greg.thomas () pnnl gov> CC: snort-devel () lists sourceforge net <snort-devel () lists sourceforge net> On Jul 17, 2014, at 10:49 PM, Gregory S Thomas <greg.thomas () pnnl gov <mailto:greg.thomas () pnnl gov>> wrote:
The version of gen-msg.map in the source tarballs is the same in 2.9.6.0, 2.9.6.1, and 2.9.6.2. The version of gen-msg.map on labs is the same in 2.9.6.0 (http://labs.snort.org/snort/2960/gen-msg.map) and 2.9.6.1 (http://labs.snort.org/snort/2961/gen-msg.map); there is no 2.9.6.2 (http://labs.snort.org/snort/2962/) on labs yet.
This has been corrected. The correct 2.9.6.2 files have been uploaded.
The differences between the source and labs versions are as follows: shell> diff snort-2.9.6.1/etc/gen-msg.map labs2961/gen-msg.map 1c1 < # $Id$ ---# $Id: gen-msg.map,v 1.131 2014/03/14 17:09:18 eborgoyn Exp $281a282,287120 || 12 || http_inspect: SWF FILE ZLIB DECOMPRESSION FAILURE 120 || 13 || http_inspect: SWF FILE LZMA DECOMPRESSION FAILURE 120 || 14 || http_inspect: PDF FILE DEFLATE DECOMPRESSION FAILURE 120 || 15 || http_inspect: PDF FILE UNSUPPORTED COMPRESSION TYPES 120 || 16 || http_inspect: PDF FILE CASCADED COMPRESSION 120 || 17 || http_inspect: PDF FILE PARSE FAILUREHowever, the source code does not appear to support any of the 6 alerts added in the gen-msg.map on labs; definitions for other alerts from generator ID 120 reside in src/preprocessors/HttpInspect/include/hi_eo_events.h. Does gen-msg.map on labs need to be replaced with a correct version?
This is a 2.9.7.0 feature. (SWF and PDF decompression). Sorry about that. -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- wrong version of gen-msg.map on labs? Gregory S Thomas (Jul 17)
- Re: wrong version of gen-msg.map on labs? Joel Esler (jesler) (Jul 17)
- Re: wrong version of gen-msg.map on labs? Joel Esler (jesler) (Jul 18)
- Re: wrong version of gen-msg.map on labs? Gregory S Thomas (Jul 18)