Re: wrong version of gen-msg.map on labs?

[Gregory S Thomas <greg.thomas () pnnl gov>]

I think that the new http://labs.snort.org/snort/2962/gen-msg.map is still not correct for 2.9.6.2 because it still has 
the same 6 alerts (120.12 - 120.17) not supported by 2.9.6 and it adds 2 more (137.3 and 137.4):

shell> diff gen-msg.map.2961 gen-msg.map.2962
1c1
< # $Id: gen-msg.map,v 1.131 2014/03/14 17:09:18 eborgoyn Exp $
---
> # $Id: gen-msg.map,v 1.132 2014/07/07 16:33:33 bbantwal Exp $
455a456,457
> 137 || 3 || spp_ssl: Heartbeat Read Overrun Attempt Detected
> 137 || 4 || spp_ssl: Large Heartbeat Response Detected

Definitions for other alerts from generator ID 137 reside in src/dynamic-preprocessors/ssl/spp_ssl.h.   
Shouldn'thttp://labs.snort.org/snort/2962/gen-msg.map match the source code for2.9.6.2?

Thanks,

Greg Thomas

-----Original Message-----
Subject:        Re: [Snort-devel] wrong version of gen-msg.map on labs?
Date:   Fri, 18 Jul 2014 15:29:54 +0000
From:   Joel Esler (jesler) <jesler () cisco com>
To:     Gregory S Thomas <greg.thomas () pnnl gov>
CC:     snort-devel () lists sourceforge net <snort-devel () lists sourceforge net>

On Jul 17, 2014, at 10:49 PM, Gregory S Thomas <greg.thomas () pnnl gov <mailto:greg.thomas () pnnl gov>> wrote:

> The version of gen-msg.map in the source tarballs is the same in 2.9.6.0, 2.9.6.1, and 2.9.6.2.  The version of 
> gen-msg.map on labs is the same in 2.9.6.0 (http://labs.snort.org/snort/2960/gen-msg.map) and 2.9.6.1 
> (http://labs.snort.org/snort/2961/gen-msg.map); there is no 2.9.6.2 (http://labs.snort.org/snort/2962/) on labs yet.

This has been corrected.  The correct 2.9.6.2 files have been uploaded.

> The differences between the source and labs versions are as follows:
>
> shell> diff snort-2.9.6.1/etc/gen-msg.map labs2961/gen-msg.map
> 1c1
> < # $Id$
> ---
> > # $Id: gen-msg.map,v 1.131 2014/03/14 17:09:18 eborgoyn Exp $
> 281a282,287
> > 120 || 12 || http_inspect: SWF FILE ZLIB DECOMPRESSION FAILURE
> > 120 || 13 || http_inspect: SWF FILE LZMA DECOMPRESSION FAILURE
> > 120 || 14 || http_inspect: PDF FILE DEFLATE DECOMPRESSION FAILURE
> > 120 || 15 || http_inspect: PDF FILE UNSUPPORTED COMPRESSION TYPES
> > 120 || 16 || http_inspect: PDF FILE CASCADED COMPRESSION
> > 120 || 17 || http_inspect: PDF FILE PARSE FAILURE
>
> However, the source code does not appear to support any of the 6 alerts added in the gen-msg.map on labs; definitions 
> for other alerts from generator ID 120 reside in src/preprocessors/HttpInspect/include/hi_eo_events.h. Does 
> gen-msg.map on labs need to be replaced with a correct version?

This is a 2.9.7.0 feature.  (SWF and PDF decompression).  Sorry about that.

--
*Joel Esler*
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!