Snort mailing list archives
Re: Flowbits set to isset
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 13 Jun 2018 17:48:40 +0000
Take a look at this blog post as well: https://blog.snort.org/2011/05/resolving-flowbit-dependancies.html<https://blog.snort.org/2011/05/resolving-flowbit-dependancies.html?m=1> Sent from my iPhone On Jun 13, 2018, at 13:45, Patrick Mullen (pamullen) via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> wrote: Gerry, file.cur is checked in sid 23499 and set in sids 23496, 23497, and 23498. If you have any of the sids 23496-23498 enabled but not 23499, you will get the warning that you are checking flowbit state without having any rules enabled that could set it. Replacing all instances of "set" to "isset", in other words, from actually setting the flowbit to checking the flowbit, will of course result in a warning that a flowbit is checked but never set since you made all rules no longer set the flowbit. Yes, "isset" is another check of flowbit state along with "isnotset", so those would also require a rule that could potentially set the flowbit to be enabled to not get that warning. Thanks, ~Patrick From: Gerry Carpinetti <carpinetti.gerry () outlook com<mailto:carpinetti.gerry () outlook com>> Date: Tuesday, June 12, 2018 at 10:02 PM To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: [Snort-users] Flowbits set to isset I did some reading on flowbit warnings and how to fix them but after the changes I still receive the warnings. I used Notepad++ to open a rules file, than used Search -> Find In Files "selected the C:\Snort\rules folder than entered "flowbits:set" into the Find What box, I replaced all flowbits:set to flowbits:isset.. No matter which .rules file I open and search for flowbits:set has been replaced with isset but yet I still get the WARNING: flowbits key 'file.cur' is checked but not ever set, as an example. Even if I do a direct search within the file-indentify.rules for flowbits:set none exist. Does this warning have to do with the flowbits:isnotset?? _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Flowbits set to isset Gerry Carpinetti via Snort-users (Jun 13)
- Re: Flowbits set to isset Russ via Snort-users (Jun 13)
- Re: Flowbits set to isset Patrick Mullen (pamullen) via Snort-users (Jun 13)
- Re: Flowbits set to isset Joel Esler (jesler) via Snort-users (Jun 13)