Snort mailing list archives

Re: Flowbits warnings problem

From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Fri, 4 Aug 2017 16:00:42 +0000

No,

The error reads “set but never checked”.  That means that the below two rules are setting the flow bit (as you can see 
with your bolded sections), but there are no rules on that check to see if the flowbit isset.  So, you need to look for 
rules in your ruleset that say flowbits:isset,file.m4v; and turn those on.


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Aug 4, 2017, at 11:17 AM, Anna <Anna () sonru com<mailto:Anna () sonru com>> wrote:

Hello,

Snort: 2.9.9.0
PulledPork: 0.7.3

I know this problem come up before but I have those flowbits Warnings

WARNING: flowbits key ‘file.m4v' is set but not ever checked.
WARNING: flowbits key 'smb.trans2.get_dfs_referral' is set but not ever checked.
WARNING: flowbits key 'tivoli.backup' is set but not ever checked.

I am using PulledPork yet it is still not setting all the flowbits right

I read the blog post by Joel Esler http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html

I have question - how to set them right manually?

Found the strings that have those flowbits

eg.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V file attachment detected"; 
flow:to_server,established; content:".m4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; 
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i"; flowbits:set,file.m4v; flowbits:noalert; metadata:policy 
max-detect-ips drop, service smtp; classtype:misc-activity; sid:22980; rev:10;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M4V file magic detected"; 
flow:to_client,established; file_data; content:"ftypM4V"; depth:7; offset:4; nocase; flowbits:set,file.m4v; 
flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; 
classtype:misc-activity; sid:24818; rev:8;)


is this can be corrected by changing

 flowbits:noalert;

to

flowbits:isset,file.m4v;  in this string?

I would like to make sure before I will manually change any rule

Thank you

ANNA
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Flowbits warnings problem Anna (Aug 04)
- Re: Flowbits warnings problem Joel Esler (jesler) via Snort-users (Aug 04)
- Re: Flowbits warnings problem Damian Torres via Snort-users (Aug 04)