Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flowbit Warnings

From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Fri, 15 Jun 2018 08:52:40 -0400
The warning you have states file.cur is checked but not ever set. That
indicates to me that your issue is with rules that have flowbits:isset and
not rules that have flowbits:set.

sid:23499 is the only rule in the Talos rule set that checks for that
flowbit. it's in file-other.rules. The three setters for that are 23496
23497 and 23498 in file-fidentify.rules. All of those are old enough that
they are in the subscriber rule set which is free to everyone.

Hope that helps.

Alex

On Wed, Jun 13, 2018 at 12:44 PM, Gerry Carpinetti via Snort-sigs <
snort-sigs () lists snort org> wrote:


I did some reading on flowbit warnings and how to fix them but after the
changes I still receive the warnings. I used Notepad++ to open a rules
file, than used Search -> Find In Files "selected the C:\Snort\rules folder
than entered "flowbits:set" into the Find What box, I replaced all
flowbits:set to flowbits:isset..

No matter which .rules file I open and search for flowbits:set has been
replaced with isset but yet I still get the WARNING: flowbits key
'file.cur' is checked but not ever set, as an example. Even if I do a
direct search within the file-indentify.rules for flowbits:set none exist.

Does this warning have to do with the flowbits:isnotset??

Get Outlook for iOS <https://aka.ms/o0ukef>

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-
the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: