Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: help with WARNING: flowbits key

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 16 Jun 2014 17:46:49 +0000
On Jun 16, 2014, at 1:37 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:
On 6/14/2014 5:01 AM, hernani wrote:

Em 13-06-2014 19:59, waldo kitty escreveu:
On 6/13/2014 6:23 AM, hernani wrote:
hello,

how can i remove this warning --->
all of those are "flowbit XXXX set but not ever checked." so either enable the
rules that check those flowbits *OR* disable the rules listed that set those
flowbits...

hello,

where can i find this rules ?
i use snort base mysql barnyard2 on snort-2.9.6.1

grep (or any other text search tool) is your friend... you tell it to search
your *.rules files for the flowbit set pattern...

eg: grep -i -E "flowbits:set,flowbit.here;" /path/to/snort/rules/*.rules


where "flowbit.here" would be the flowbits from your warning list...

eg: grep -i -E "flowbits:set,file\.abc;" /path/to/snort/rules/*.rules
    grep -i -E "flowbits:set,imap\.cram\.md5;" /path/to/snort/rules/*.rules
    grep -i -E "flowbits:set,file\.fon;" /path/to/snort/rules/*.rules

the results of the search will tell you which file the pattern is found in and
what the SID of the rule is because it prints out the whole line containing the
pattern...

Some of these were fixed on Friday, so you should see these errors go away.  There are a couple, however, that can only 
be fixed by using PulledPork.

Going forward, we are only supporting pulledpork, when it comes to downloading rules, etc from 
Snort.org<http://Snort.org>, so if you aren’t tranisitioned to pulledpork yet, you may want to think about doing this.

More details will be coming in a blog post for official announcements, but just my 0.02 here.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team



------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: