Snort mailing list archives
Re: help with WARNING: flowbits key
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 16 Jun 2014 17:46:49 +0000
On Jun 16, 2014, at 1:37 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote: On 6/14/2014 5:01 AM, hernani wrote: Em 13-06-2014 19:59, waldo kitty escreveu: On 6/13/2014 6:23 AM, hernani wrote: hello, how can i remove this warning ---> all of those are "flowbit XXXX set but not ever checked." so either enable the rules that check those flowbits *OR* disable the rules listed that set those flowbits... hello, where can i find this rules ? i use snort base mysql barnyard2 on snort-2.9.6.1 grep (or any other text search tool) is your friend... you tell it to search your *.rules files for the flowbit set pattern... eg: grep -i -E "flowbits:set,flowbit.here;" /path/to/snort/rules/*.rules where "flowbit.here" would be the flowbits from your warning list... eg: grep -i -E "flowbits:set,file\.abc;" /path/to/snort/rules/*.rules grep -i -E "flowbits:set,imap\.cram\.md5;" /path/to/snort/rules/*.rules grep -i -E "flowbits:set,file\.fon;" /path/to/snort/rules/*.rules the results of the search will tell you which file the pattern is found in and what the SID of the rule is because it prints out the whole line containing the pattern... Some of these were fixed on Friday, so you should see these errors go away. There are a couple, however, that can only be fixed by using PulledPork. Going forward, we are only supporting pulledpork, when it comes to downloading rules, etc from Snort.org<http://Snort.org>, so if you aren’t tranisitioned to pulledpork yet, you may want to think about doing this. More details will be coming in a blog post for official announcements, but just my 0.02 here. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- help with WARNING: flowbits key hernani (Jun 13)
- Re: help with WARNING: flowbits key waldo kitty (Jun 13)
- Re: help with WARNING: flowbits key hernani (Jun 14)
- Re: help with WARNING: flowbits key waldo kitty (Jun 16)
- Re: help with WARNING: flowbits key Joel Esler (jesler) (Jun 16)
- Re: help with WARNING: flowbits key hernani (Jun 14)
- Re: help with WARNING: flowbits key waldo kitty (Jun 13)
- Re: help with WARNING: flowbits key Joel Esler (jesler) (Jun 13)
- Re: help with WARNING: flowbits key hernani (Jun 14)
- Re: help with WARNING: flowbits key hernani (Jun 15)
- Re: help with WARNING: flowbits key Joel Esler (jesler) (Jun 15)
- Re: help with WARNING: flowbits key hernani (Jun 14)