Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flowbits warnings problem

From: Damian Torres via Snort-users <snort-users () lists snort org>
Date: Fri, 4 Aug 2017 12:01:08 -0400
Anna,


I would not recommend changing "flowbits:noalert;" to
"flowbits:isset,file.m4v;" in those two rules.


The warnings you are receiving are just stating that you have rules that
declare a flowbits variable of "file.m4v" that you never use.  This is
okay.  It is more of a "diagnostic" message more than anything else.

The "flowbits:noalert;" means that if a packet in a given tcp stream
matches that signature, do not fire an alert.  The rule is still active,
but it just won't fire an alert.  This is used typically when you want one
signature to set a flowbits variable and not alert, then have another
signature later on that will check traffic occurring later that will also
check if the flowbits variable is true.

Here's an example:

alert tcp any any -> any any (msg:"SYN Packet - Do not alert";
flow:not_established,to_server; flags:S;
flowbits:set,tcp_syn,three_way_handshake; flowbits:noalert; sid:1; rev:1;)
alert tcp any any -> any any (msg:"SYN+ACK Packet - Do not alert";
flow:not_established,from_server; flags:SA;
flowbits:set,tcp_synack,three_way_handshake; flowbits:noalert; sid:2;
rev:1;)
alert tcp any any -> any any (msg:"TCP Connection Established - Alert";
flowbits:isset,all,three_way_handshake; flow:to_server; flags:A;
flowbits:unset,all,three_way_handshake; sid:3; rev:1;)

Using these signatures, the only one that will ever "alert" will be the
third one, because the first and second use the "flowbits:noalert;".

To satisfy those warnings, you can make a rule that uses the flowbits that
they set.  In the example of the "file.m4v":

alert tcp any any -> any any (msg:"Buffer overflow attempt on Firefox
GStreamer - CVE-2015-0797"; flowbits:isset,file.m4v;
flow:established,from_server; content:"BAD_STUFF_HERE"; ... sid:1000000;
rev:1;)


But my recommendation is to either leave those rules as they are and ignore
the warnings, or just disable those rules using pulledpork because you have
no rules that rely on the flowbits that they set.


I hope this helps!


Warm Regards,
-Damian

On Fri, Aug 4, 2017 at 11:17 AM, Anna <Anna () sonru com> wrote:


Hello,

Snort: 2.9.9.0
PulledPork: 0.7.3

I know this problem come up before but I have those flowbits Warnings

WARNING: flowbits key ‘file.m4v' is set but not ever checked.
WARNING: flowbits key 'smb.trans2.get_dfs_referral' is set but not ever
checked.
WARNING: flowbits key 'tivoli.backup' is set but not ever checked.

I am using PulledPork yet it is still not setting all the flowbits right

I read the blog post by Joel Esler http://blog.snort.org/
2011/05/resolving-flowbit-dependancies.html

I have question - how to set them right manually?

Found the strings that have those flowbits

eg.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V
file attachment detected"; flow:to_server,established; content:".m4v";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i";
*flowbits:set,file.m4v*; flowbits:noalert; metadata:policy max-detect-ips
drop, service smtp; classtype:misc-activity; sid:22980; rev:10;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established;
file_data; content:"ftypM4V"; depth:7; offset:4; nocase;
* flowbits:set,file.m4v*; flowbits:noalert; metadata:policy
max-detect-ips drop, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:24818; rev:8;)


is this can be corrected by changing

 flowbits:noalert;

to

flowbits:isset,file.m4v;  in this string?

I would like to make sure before I will manually change any rule

Thank you

*ANNA*

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: