Snort mailing list archives
Re: stuck with google is your friend time only
From: Crusty Saint <saintcrusty () gmail com>
Date: Thu, 31 Mar 2011 18:50:25 +0200
Hi Nigel, Thanks for the reply, i'm no native english speaker ... what's a stub file ? *blush* 2011/3/31 Nigel Houghton <nhoughton () sourcefire com>
On Thu, 31 Mar 2011 18:17:38 +0200, Crusty Saint wrote:So what do i make of Encoded Rule Plugin SID: 17741, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 13475, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 15450, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 14255, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 16800, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 15529, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 16645, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 16503, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 13974, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 15327, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 18231, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 18215, GID: 3 not registered properly. Disabling this rule. Encoded Rule Plugin SID: 18206, GID: 3 not registered properly. Disabling this rule. ....... This is not amusing, i could not easily find a reason why this happens and what is the impact on snort performance, accuracy etc. Then followed by many flowbit messages Warning: flowbits key 'BrAin_Wiper_Chat' is set but not ever checked. Warning: flowbits key 'asp.upload' is set but not ever checked. Warning: flowbits key 'http.asx' is set but not ever checked. Warning: flowbits key 'Netspy_Command_Pattern' is set but not everchecked........ 361 out of 1024 flowbits in use. Which i do not consider to be too bad ThanksIt means that you have loaded shared object rules (probably from a directory) and you have not loaded the rule stub files to go with them. The rule stubs are the ones that actually enable the shared object rules themselves. As for the flowbits set but not checked message, you are correct, this isn't too bad. Just a warning that you are using rule(s) unnecessarily. If you disable the rule(s) that set those flowbits or if you enable the rule(s) that use those flowbits, the messages will go away. A more serious message you should pay attention to is the "flowbit <blah> checked but not set" message. Which means you are using a rule that requires a flowbit from another rule and the other rule is not enabled. In order to perform the detection you want, you would need to enable the rule(s) that set that flowbit. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/
-- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stuck with google is your friend time only Crusty Saint (Mar 31)
- Re: stuck with google is your friend time only Nigel Houghton (Mar 31)
- Re: stuck with google is your friend time only Crusty Saint (Mar 31)
- Re: stuck with google is your friend time only Nigel Houghton (Mar 31)
- Re: stuck with google is your friend time only Crusty Saint (Mar 31)
- Re: stuck with google is your friend time only Crusty Saint (Mar 31)
- Re: stuck with google is your friend time only Nigel Houghton (Mar 31)