Snort mailing list archives

Re: help with WARNING: flowbits key

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 16 Jun 2014 13:37:34 -0400

On 6/14/2014 5:01 AM, hernani wrote:


Em 13-06-2014 19:59, waldo kitty escreveu:

On 6/13/2014 6:23 AM, hernani wrote:

hello,

how can i remove this warning --->

all of those are "flowbit XXXX set but not ever checked." so either enable the
rules that check those flowbits *OR* disable the rules listed that set those
flowbits...

hello,

where can i find this rules ?
i use snort base mysql barnyard2 on snort-2.9.6.1


grep (or any other text search tool) is your friend... you tell it to search 
your *.rules files for the flowbit set pattern...

eg: grep -i -E "flowbits:set,flowbit.here;" /path/to/snort/rules/*.rules


where "flowbit.here" would be the flowbits from your warning list...

eg: grep -i -E "flowbits:set,file\.abc;" /path/to/snort/rules/*.rules
     grep -i -E "flowbits:set,imap\.cram\.md5;" /path/to/snort/rules/*.rules
     grep -i -E "flowbits:set,file\.fon;" /path/to/snort/rules/*.rules

the results of the search will tell you which file the pattern is found in and 
what the SID of the rule is because it prints out the whole line containing the 
pattern...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

help with WARNING: flowbits key hernani (Jun 13)
- Re: help with WARNING: flowbits key waldo kitty (Jun 13)
  - Re: help with WARNING: flowbits key hernani (Jun 14)
    - Re: help with WARNING: flowbits key waldo kitty (Jun 16)
    - Re: help with WARNING: flowbits key Joel Esler (jesler) (Jun 16)
- Re: help with WARNING: flowbits key Joel Esler (jesler) (Jun 13)
  - Re: help with WARNING: flowbits key hernani (Jun 14)
    - Re: help with WARNING: flowbits key hernani (Jun 15)
    - Re: help with WARNING: flowbits key Joel Esler (jesler) (Jun 15)