Snort mailing list archives
Re: Flowbit Dependencies
From: Photius Orfanidis <photiorfanidis () telstra com>
Date: Thu, 21 Sep 2017 00:36:59 +1000
Hi Dave! If you want a really easy setup and network configuration try using Snort with pfSense. It works like a charm without any errors even with advanced configuration(s) in my experience. Cheers :) Photius
On 20 Sep 2017, at 10:58 pm, Sam Hodgson <sam.hodgson () perfect-image co uk> wrote: Hi All, Snortnoob here, have it up and running on Centos 7 however seeing lots of this on startup: WARNING: flowbits key 'file.search-ms' is set but not ever checked. WARNING: flowbits key 'file.flac' is set but not ever checked. 328 out of 1024 flowbits in use. Im running pulledpork which updates without error, i understand it would potentially automatically resolve the above however not the case for some reason. The large majority of the unchecked flowbits are file.xxx and as a test case I can see that file.flac is referenced multiple times in /etc/snort/rules/file-multimedia.rules # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC picture metadata buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12745; rev:13;) Upon updating i see: Rule Stats... New:-------10561 Deleted:---0 Enabled Rules:----11067 Dropped Rules:----0 Disabled Rules:---32670 Total Rules:------43737 I've read that not all are enabled by default out of the box for performance reasons is that correct? and is that the reason behind the flowbit warnings? Any input is greatly appreciated! Thanks Sam Save paper, please think twice before printing this email. Equinox House | Cobalt 3.2 | Cobalt Business Park | Silver Fox Way | North Tyneside | Newcastle upon Tyne | NE27 0QJ T. 0191 238 0111 | F. 0191 238 0127 | Service Desk Direct Line. 0191 238 0121 Perfect Image Ltd. Registered in England & Wales. Company Registration Number: 2650067 Registered Office: Equinox House, Cobalt 3.2, Cobalt Business Park, Silver Fox Way, North Tyneside, Newcastle upon Tyne, NE27 0QJ This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of Perfect Image Ltd. If you are not the intended recipient, please notify us at info () perfect-image co uk and be advised that you have received this mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Flowbit Dependencies Sam Hodgson (Sep 20)
- Re: Flowbit Dependencies Photius Orfanidis (Sep 20)