Snort mailing list archives
Re: Flowbit Warnings
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Fri, 15 Jun 2018 08:52:40 -0400
The warning you have states file.cur is checked but not ever set. That indicates to me that your issue is with rules that have flowbits:isset and not rules that have flowbits:set. sid:23499 is the only rule in the Talos rule set that checks for that flowbit. it's in file-other.rules. The three setters for that are 23496 23497 and 23498 in file-fidentify.rules. All of those are old enough that they are in the subscriber rule set which is free to everyone. Hope that helps. Alex On Wed, Jun 13, 2018 at 12:44 PM, Gerry Carpinetti via Snort-sigs < snort-sigs () lists snort org> wrote:
I did some reading on flowbit warnings and how to fix them but after the changes I still receive the warnings. I used Notepad++ to open a rules file, than used Search -> Find In Files "selected the C:\Snort\rules folder than entered "flowbits:set" into the Find What box, I replaced all flowbits:set to flowbits:isset.. No matter which .rules file I open and search for flowbits:set has been replaced with isset but yet I still get the WARNING: flowbits key 'file.cur' is checked but not ever set, as an example. Even if I do a direct search within the file-indentify.rules for flowbits:set none exist. Does this warning have to do with the flowbits:isnotset?? Get Outlook for iOS <https://aka.ms/o0ukef> _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Flowbit Warnings Gerry Carpinetti via Snort-sigs (Jun 15)
- Re: Flowbit Warnings Alex McDonnell (Jun 15)
- Re: Flowbit Warnings wkitty42 (Jun 15)
- Re: Flowbit Warnings wkitty42 (Jun 15)
- Re: Flowbit Warnings Felix RodrÃguez (Jun 15)
- Re: Flowbit Warnings wkitty42 (Jun 15)
- Re: Flowbit Warnings Felix RodrÃguez (Jun 15)
- Re: Flowbit Warnings Alex McDonnell (Jun 15)