Snort mailing list archives
Re: Flowbits warnings problem
From: Damian Torres via Snort-users <snort-users () lists snort org>
Date: Fri, 4 Aug 2017 12:01:08 -0400
Anna, I would not recommend changing "flowbits:noalert;" to "flowbits:isset,file.m4v;" in those two rules. The warnings you are receiving are just stating that you have rules that declare a flowbits variable of "file.m4v" that you never use. This is okay. It is more of a "diagnostic" message more than anything else. The "flowbits:noalert;" means that if a packet in a given tcp stream matches that signature, do not fire an alert. The rule is still active, but it just won't fire an alert. This is used typically when you want one signature to set a flowbits variable and not alert, then have another signature later on that will check traffic occurring later that will also check if the flowbits variable is true. Here's an example: alert tcp any any -> any any (msg:"SYN Packet - Do not alert"; flow:not_established,to_server; flags:S; flowbits:set,tcp_syn,three_way_handshake; flowbits:noalert; sid:1; rev:1;) alert tcp any any -> any any (msg:"SYN+ACK Packet - Do not alert"; flow:not_established,from_server; flags:SA; flowbits:set,tcp_synack,three_way_handshake; flowbits:noalert; sid:2; rev:1;) alert tcp any any -> any any (msg:"TCP Connection Established - Alert"; flowbits:isset,all,three_way_handshake; flow:to_server; flags:A; flowbits:unset,all,three_way_handshake; sid:3; rev:1;) Using these signatures, the only one that will ever "alert" will be the third one, because the first and second use the "flowbits:noalert;". To satisfy those warnings, you can make a rule that uses the flowbits that they set. In the example of the "file.m4v": alert tcp any any -> any any (msg:"Buffer overflow attempt on Firefox GStreamer - CVE-2015-0797"; flowbits:isset,file.m4v; flow:established,from_server; content:"BAD_STUFF_HERE"; ... sid:1000000; rev:1;) But my recommendation is to either leave those rules as they are and ignore the warnings, or just disable those rules using pulledpork because you have no rules that rely on the flowbits that they set. I hope this helps! Warm Regards, -Damian On Fri, Aug 4, 2017 at 11:17 AM, Anna <Anna () sonru com> wrote:
Hello, Snort: 2.9.9.0 PulledPork: 0.7.3 I know this problem come up before but I have those flowbits Warnings WARNING: flowbits key ‘file.m4v' is set but not ever checked. WARNING: flowbits key 'smb.trans2.get_dfs_referral' is set but not ever checked. WARNING: flowbits key 'tivoli.backup' is set but not ever checked. I am using PulledPork yet it is still not setting all the flowbits right I read the blog post by Joel Esler http://blog.snort.org/ 2011/05/resolving-flowbit-dependancies.html I have question - how to set them right manually? Found the strings that have those flowbits eg. alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V file attachment detected"; flow:to_server,established; content:".m4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i"; *flowbits:set,file.m4v*; flowbits:noalert; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:22980; rev:10;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established; file_data; content:"ftypM4V"; depth:7; offset:4; nocase; * flowbits:set,file.m4v*; flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24818; rev:8;) is this can be corrected by changing flowbits:noalert; to flowbits:isset,file.m4v; in this string? I would like to make sure before I will manually change any rule Thank you *ANNA* _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Flowbits warnings problem Anna (Aug 04)
- Re: Flowbits warnings problem Joel Esler (jesler) via Snort-users (Aug 04)
- Re: Flowbits warnings problem Damian Torres via Snort-users (Aug 04)