Flowbits warnings problem

[Anna <Anna () sonru com>]

Hello,

Snort: 2.9.9.0
PulledPork: 0.7.3

I know this problem come up before but I have those flowbits Warnings 

WARNING: flowbits key ‘file.m4v' is set but not ever checked.
WARNING: flowbits key 'smb.trans2.get_dfs_referral' is set but not ever checked.
WARNING: flowbits key 'tivoli.backup' is set but not ever checked.

I am using PulledPork yet it is still not setting all the flowbits right

I read the blog post by Joel Esler http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html 
<http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html>

I have question - how to set them right manually?

Found the strings that have those flowbits

eg.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V file attachment detected"; 
flow:to_server,established; content:".m4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; 
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i"; flowbits:set,file.m4v; flowbits:noalert; metadata:policy 
max-detect-ips drop, service smtp; classtype:misc-activity; sid:22980; rev:10;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M4V file magic detected"; 
flow:to_client,established; file_data; content:"ftypM4V"; depth:7; offset:4; nocase; flowbits:set,file.m4v; 
flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; 
classtype:misc-activity; sid:24818; rev:8;)


is this can be corrected by changing

 flowbits:noalert;

to

flowbits:isset,file.m4v;  in this string?

I would like to make sure before I will manually change any rule

Thank you

ANNA

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!