Home page logo
/

snort logo Snort mailing list archives

Signature Description Oddness
From: "Starner, Mark" <mark.starner () unisys com>
Date: Thu, 6 Feb 2014 09:42:51 -0600

When I upgraded some of my sensors to 2.9.6.0, I saw some weird stuff in my
Base Signature Table

 

I two different sig_name's for the same signatures (in about 6 case). I'll
detail one instance.

Gid: 142, sid: 6

One Description is: pop: 7bit/8bit/binary/text Extraction failed

The other Description is: pop: Non-Encoded MIME attachment Extraction failed

 

So I looked at the gen-msg.map on the various systems/versions.

2.9.5.5 shipped with:  142 || 6 || pop: Non-Encoded MIME attachment
Extraction failed

2.9.6.0 shipped with:  142 || 6 || pop: Non-Encoded MIME attachment
Extraction failed

 

That's fine, no change between versions.

 

But when I look in the rules tarballs, the following are in those
gen-msg.map files

2.9.5.5 tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed

2.9.6.0 tarball: 142 || 6 || pop: 7bit/8bit/binary/text Extraction failed

 

So the tarball is shipping with different descriptions for some of the
preprocessor rules.

 

So which description is correct? I would have thought if the description
was:

pop: Non-Encoded MIME attachment Extraction failed

in 2.9.5.5, and then it changed to:

pop: 7bit/8bit/binary/text Extraction failed

and was therefore changed in the tarball, then shouldn't 2.9.6.0's release
have reflected this change?

 

Or are the files in the tarball never pulled forward to a new release?

 

Just want to make sure I know which description is the right one. I am
guessing the one in the tarball, just need confirmation.

 

Thanks

Mark

 

 


  



Mark Starner  | Global Infrastructure - Systems  |  Unisys IT


Unisys  |  443-921-0355 

 
<file:///C:\Users\starneml\AppData\Roaming\Microsoft\Signatures\Required_Ima
ges\Unisys_Logo.gif> 



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers. 

        

 

 

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault