Snort mailing list archives

Re: Flowbits set to isset

From: "Patrick Mullen \(pamullen\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 13 Jun 2018 17:38:28 +0000

Gerry,

file.cur is checked in sid 23499 and set in sids 23496, 23497, and 23498.  If you have any of the sids 23496-23498 
enabled but not 23499, you will get the warning that you are checking flowbit state without having any rules enabled 
that could set it.

Replacing all instances of "set" to "isset", in other words, from actually setting the flowbit to checking the flowbit, 
will of course result in a warning that a flowbit is checked but never set since you made all rules no longer set the 
flowbit.  Yes, "isset" is another check of flowbit state along with "isnotset", so those would also require a rule that 
could potentially set the flowbit to be enabled to not get that warning.


Thanks,

~Patrick


From: Gerry Carpinetti <carpinetti.gerry () outlook com>
Date: Tuesday, June 12, 2018 at 10:02 PM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] Flowbits set to isset

I did some reading on flowbit warnings and how to fix them but after the changes I still receive the warnings. I used 
Notepad++ to open a rules file, than used Search -> Find In Files "selected the C:\Snort\rules folder than entered 
"flowbits:set" into the Find What box, I replaced all flowbits:set to flowbits:isset..

No matter which .rules file I open and search for flowbits:set has been replaced with isset but yet I still get the 
WARNING: flowbits key 'file.cur' is checked but not ever set, as an example. Even if I do a direct search within the 
file-indentify.rules for flowbits:set none exist.

Does this warning have to do with the flowbits:isnotset??

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Flowbits set to isset Gerry Carpinetti via Snort-users (Jun 13)
- Re: Flowbits set to isset Russ via Snort-users (Jun 13)
- Re: Flowbits set to isset Patrick Mullen (pamullen) via Snort-users (Jun 13)
  - Re: Flowbits set to isset Joel Esler (jesler) via Snort-users (Jun 13)