Snort mailing list archives
Why these flowbits errors are returned??
From: "C. L. Martinez" <carlopmart () gmail com>
Date: Thu, 29 Nov 2012 07:49:00 +0000
Hi all, According to http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html, flowbits errors can be fixed manually or using a tool like pulledpork.pl. I use this tool to manage my rules, but I have a lot of errors with flowbits. For example: WARNING: flowbits key 'smtp.contenttype.attachment' is set but not ever checked. This option appears in flowbits field in VRT-smtp.rules file: VRT-smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Disposition attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"attachment"; distance:0; nocase; pcre:"/^Content-Disposition\x3A\s*attachment/smi"; flowbits:set,smtp.contenttype.attachment; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; sid:17332; rev:5;) VRT-smtp.rules:# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Lotus Notes Attachment Viewer UUE file buffer overflow attempt"; flow:to_server,established; flowbits:isset,smtp.contenttype.attachment; content:"|0D 0A 0D 0A|begin|20|"; isdataat:278,relative; content:!"end|0D 0A|"; within:278; nocase; metadata:policy security-ips drop, service smtp; reference:bugtraq,16576; reference:cve,2005-2618; classtype:attempted-user; sid:17333; rev:7;) As you can see, exists two rules: one with set and another with isset enabled under flowbits field. then, why these warnings appears?? Thanks. ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Why these flowbits errors are returned?? C. L. Martinez (Nov 28)
- Re: Why these flowbits errors are returned?? Joel Esler (Nov 29)
- Re: Why these flowbits errors are returned?? C. L. Martinez (Nov 29)
- Re: Why these flowbits errors are returned?? waldo kitty (Nov 29)
- Re: Why these flowbits errors are returned?? Castle, Shane (Nov 29)
- Re: Why these flowbits errors are returned?? JJC (Nov 29)
- Re: Why these flowbits errors are returned?? waldo kitty (Nov 29)
- Re: Why these flowbits errors are returned?? C. L. Martinez (Nov 29)
- Re: Why these flowbits errors are returned?? waldo kitty (Nov 30)
- Re: Why these flowbits errors are returned?? carlopmart (Dec 01)
- Re: Why these flowbits errors are returned?? JJC (Dec 01)
- Re: Why these flowbits errors are returned?? Joel Esler (Nov 29)