Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stuck with google is your friend time only

From: Crusty Saint <saintcrusty () gmail com>
Date: Thu, 31 Mar 2011 19:01:15 +0200
Hmmm.

Apparenlty i'm not doing something right with regards to so_rules and the
accompanying .rules which differ from what is under ./rules

I'll better RTFM on this

2011/3/31 Nigel Houghton <nhoughton () sourcefire com>


On Thu, 31 Mar 2011 18:17:38 +0200, Crusty Saint wrote:




So what do i make of

Encoded Rule Plugin SID: 17741, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 13475, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 15450, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 14255, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 16800, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 15529, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 16645, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 16503, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 13974, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 15327, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 18231, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 18215, GID: 3 not registered properly.
Disabling this rule.

Encoded Rule Plugin SID: 18206, GID: 3 not registered properly.
Disabling this rule.
.......
This is not amusing, i could not easily find a reason why this
happens and what is the impact on snort performance, accuracy etc.


Then followed by many flowbit messages

Warning: flowbits key 'BrAin_Wiper_Chat' is set but not ever checked.
Warning: flowbits key 'asp.upload' is set but not ever checked.
Warning: flowbits key 'http.asx' is set but not ever checked.
Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever

checked.

.......
361 out of 1024 flowbits in use.


Which i do not consider to be too bad

Thanks


It means that you have loaded shared object rules (probably from a
directory) and you have not loaded the rule stub files to go with them.
The rule stubs are the ones that actually enable the shared object
rules themselves.

As for the flowbits set but not checked message, you are correct, this
isn't too bad. Just a warning that you are using rule(s) unnecessarily.
If you disable the rule(s) that set those flowbits or if you enable the
rule(s) that use those flowbits, the messages will go away. A more
serious message you should pay attention to is the "flowbit <blah>
checked but not set" message. Which means you are using a rule that
requires a flowbit from another rule and the other rule is not enabled.
In order to perform the detection you want, you would need to enable
the rule(s) that set that flowbit.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/





-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: