Home page logo
/

snort logo Snort mailing list archives

Re: Minor corrections to the 2.9.0.2 manual
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 17 Dec 2010 17:56:40 -0500

Should be next week.  Check out the most recent blog entry. 

Blog.snort.org


Sent from my iPhone

On Dec 17, 2010, at 5:28 PM, <Joshua.Kinard () us-cert gov> wrote:


Hi Ryan,

Thanks for the clarification.  That makes sense.  The PDF not getting regenerated threw me off there.

No rush on trying to get these into 2.9.0.2.  I'm just trying to help bring the little things like this to the 
surface so they can be picked up in a future release.  The holidays always add to the busy schedules we have.

Thanks!,

--J 

-----Original Message-----
From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] 
Sent: Thursday, December 16, 2010 4:12 PM
To: Kinard, Joshua A
Cc: snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Minor corrections to the 2.9.0.2 manual

Hi Josh,

Sorry for the delayed response, it's been one of those weeks.

First of all, it looks like I didn't re-generate the PDF when we released Snort 2.9.0.2. This has been rectified for 
the 2.9.0.3 release. The PDF also gets generated as part of the RPM build process, so the PDF included there should 
match the latex file.

Regarding the use of ssl_state, consider the following rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $SSL_PORTS (msg:"SSL client hello OR client key exchange"; 
ssl_state:client_hello,client_keyx;
gid:1; sid:1000000;)

This rule would fire on every packet during the "client_hello" and "client_keyx" states. By looking at the alert, you 
don't know which state actually triggered the rule. Maybe the session never got to the client_keyx state?

By splitting the ssl_state options into multiple rules, you can be more specific about which state triggered the rule 
option. That appears to be the point that the documentation is trying to make.

The rest of your changes look good. While it's too late for me to squeeze them into Snort 2.9.0.3, we've created a 
bug report to get them into the release after that.

Thanks,
Ryan

On Mon, Dec 13, 2010 at 7:46 PM,  <Joshua.Kinard () us-cert gov> wrote:

Hi snort-devel,

Noticed some additional errors in the Snort-2.9.0.2 manual for 
ssl_state and ssl_version.  However, the LaTeX source in the 2.9.0.2 
distribution does not match the actual rendered PDF that is included.  
The PDF's rendering date (06/23/2010) is also mismatched versus 
2.9.0.1's copy (10/08/2010).  So, I'm uncertain which LaTeX source I 
should use to diff a patch against.  Since they're minor corrections, 
I'll just list them here instead:

snort-2.9.0.2/doc/snort_manual.pdf, page 79, ssl_version block:

"To check for two SSL versions in use simultaneously, multiple ssl 
version rule options should be used."
Change to (added "or more", added underscore) "To check for two or 
more SSL versions in use simultaneously, multiple ssl_version rule 
options should be used."


snort-2.9.0.2/doc/snort_manual.pdf, page 80, ssl_version example:

- Remove space after delimiting colon.
- Add semi-colon after rule option examples.


snort-2.9.0.2/doc/snort_manual.pdf, page 80, ssl_state block:

"To ensure the connection is reached each of a set of states, multiple 
ssl state rule options should be used."
Change to (changed "is" to "has", added underscore) "To ensure the 
connection has reached each of a set of states, multiple ssl_state 
rule options should be used."


snort-2.9.0.2/doc/snort_manual.pdf, page 80, ssl_state example:

- Remove space after delimiting colon.
- Add semi-colon after rule option examples.



Of note, the LaTeX source for the 2.9.0.2 manual, for ssl_state's 
description, states the following (instead of the original sentence 
corrected above):

"To ensure the connection has reached each of a set of states, 
multiple rules using the ssl_state rule option should be used."

This conflicts with the rendered PDF, which says to use multiple rule 
options, NOT multiple rules.  The CVS copy reflects the LaTeX source, 
so I'm uncertain of which is the correct usage of this option.  
Multiple rules, each with a maximum of ONE ssl_state rule option, or a 
single rule with MULTIPLE ssl_state options?

Thanks,

--J

----------------------------------------------------------------------
--------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how to connect the dots, 
take your collaborative environment to the next level, and enter the 
era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]