Snort mailing list archives
Re: Flowbits checked but not set error pulledpork
From: Shirkdog <shirkdog () gmail com>
Date: Tue, 13 Oct 2015 20:03:48 -0400
This is a run-time error from Snort, are you sure both signatures are enabled in your sensor config? In your snort.conf do you have an include line for the VRT Files? include VRT-server-other.rules include VRT-os-solaris.rules --- Michael Shirk On Tue, Oct 13, 2015 at 7:39 PM, <xinland66 () gmail com> wrote:
We use PulledPork v0.7.2. When starting snort, we got this message: <29>Oct 13 15:42:21 snort[12420]: WARNING: flowbits key 'lp.cascade' is checked but not ever set. ######But the flow bit is set in the rules. # grep -R lp.cascade . --color=always ./VRT-server-other.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER lpd receive printer job cascade adaptor protocol request"; flow:to_server,established; content:"|02|"; depth:1; pcre:"/\x02[^\x0a]+\x3a[^\x0a]+\x0a/"; flowbits:set,lp.cascade; flowbits:noalert; metadata:service ldp; classtype:protocol-command-decode; sid:4143; rev:8;) ./VRT-os-solaris.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd control file upload attempt"; flow:to_server,established; flowbits:isset,lp.cascade; content:"|02|"; depth:1; content:"cfA"; nocase; pcre:"/^\x02\d+ cfA/smi"; flowbits:set,lp.controlfile; metadata:policy max-detect-ips drop, service printer; classtype:misc-attack; sid:4144; rev:12;) # grep -R 12420 . --color=always ./ET-web_specific_apps.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt dsp_page.cfm pageid SELECT"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012420; rev:2;) ./ET-malware.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO MALWARE Win32/Cloud4PC PUP Activity"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/getconf.cgi?debug="; http_uri; fast_pattern; depth:27; content:"&ofg_id="; http_uri; distance:0; content:!"Accept"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,ad4aa8417946f16780cfea4124205aaa; classtype:trojan-activity; sid:2812492; rev:1;) ./ET-trojan.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Beaugrit/Zegost CnC Beacon 2"; flow:established,to_server; dsize:473; content:"|4d a7 0d 97 27|"; depth:5; reference:md5,e8f8215407d533d748da42a5b0a5b055; classtype:trojan-activity; sid:2812420; rev:1;) ./VRT-pua-adware.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PWS-QQGame outbound connection"; flow:to_server,established; content:"/html.txt"; nocase; http_uri; content:"Host|3A| 866muma.3322.org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=f1d6d37696bf581ef31325e23d07327dec5bdb10e546ed450716d7cc19f668ea-1242052797; classtype:trojan-activity; sid:19827; rev:4;) ./VRT-pua-adware.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Ticno Multibar installation attempt"; flow:to_server,established; content:"Host: static.install.ticno.com"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3f928b4be1ff7454d19f357b3e9d2926d0a8607dffeb3bab124208c9e59554b/analysis/; classtype:trojan-activity; sid:31313; rev:1;) ######Below is the pulled pork log showed 63 flowbits were enabled. Reading rules... Generating Stub Rules.... An error occurred: WARNING: ip4 normalizations disabled because not inline. An error occurred: WARNING: tcp normalizations disabled because not inline. An error occurred: WARNING: icmp4 normalizations disabled because not inline. Done Reading rules... Reading rules... Modifying Sids.... Done! Processing /etc/snort/enablesid.conf.... Modified 0 rules Done Processing /etc/snort/dropsid.conf.... Modified 0 rules Done Processing /etc/snort/disablesid.conf.... Modified 0 rules Done Setting Flowbit State.... Enabled 63 flowbits Done Writing rules to unique destination files.... Writing rules to /etc/snort/new_rules/ Done Generating sid-msg.map.... Done Writing v1 /etc/snort/sid-msg.map.... Done Thanks, KL ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Flowbits checked but not set error pulledpork xinland66 (Oct 13)
- Re: Flowbits checked but not set error pulledpork Shirkdog (Oct 13)
- Re: Flowbits checked but not set error pulledpork xinland66 (Oct 14)
- Re: Flowbits checked but not set error pulledpork Shirkdog (Oct 13)