Snort mailing list archives
Flowbits warnings problem
From: Anna <Anna () sonru com>
Date: Fri, 4 Aug 2017 16:17:25 +0100
Hello, Snort: 2.9.9.0 PulledPork: 0.7.3 I know this problem come up before but I have those flowbits Warnings WARNING: flowbits key ‘file.m4v' is set but not ever checked. WARNING: flowbits key 'smb.trans2.get_dfs_referral' is set but not ever checked. WARNING: flowbits key 'tivoli.backup' is set but not ever checked. I am using PulledPork yet it is still not setting all the flowbits right I read the blog post by Joel Esler http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html <http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html> I have question - how to set them right manually? Found the strings that have those flowbits eg. alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V file attachment detected"; flow:to_server,established; content:".m4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i"; flowbits:set,file.m4v; flowbits:noalert; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:22980; rev:10;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established; file_data; content:"ftypM4V"; depth:7; offset:4; nocase; flowbits:set,file.m4v; flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24818; rev:8;) is this can be corrected by changing flowbits:noalert; to flowbits:isset,file.m4v; in this string? I would like to make sure before I will manually change any rule Thank you ANNA
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Flowbits warnings problem Anna (Aug 04)
- Re: Flowbits warnings problem Joel Esler (jesler) via Snort-users (Aug 04)
- Re: Flowbits warnings problem Damian Torres via Snort-users (Aug 04)