[Snort-sigs] Warning: flowbits keys (not) set/checked (Trojan Bot/Sasser rules)

Ellen L Mitchell ellenm at ...3167...
Wed Oct 12 18:11:11 EDT 2005


I'm missing something... I've been reviewing my rule set and I have a
couple questions that google couldn't solve.

The following Trojan Bot rules (from bleeding-virus) use "flowbits:
set,trojan;" but I haven't been able to find any rule that uses
"flowbits: isset,trojan".  Am I missing rules, or missing information
about how the rules are supposed to work?  I checked bleeding-all just
in case they weren't included in the -virus set.

Trojan Bot rules:
  2002029 Rev 5
  2002030 Rev 7
  2002031 Rev 9
  2002032 Rev 4
  2002033 Rev 7
  2002363 Rev 6

  2002384 Rev 5
  2002385 Rev 6
  2002386 Rev 6

Similarly, the Sasser/Korgo worm rule (SID 2001286 Rev 10) uses
"flowbits: isset,netbios.lsass.bind.attempt;" but I can't find a rule 
that sets "netbios.lsass.bind.attempt".

These warnings were found when I used "snort -T".  Partial output
from that is below.

Thanks for any enlightenment.

Output from "snort -T":

[ snip ] 

Warning: flowbits key 'netbios.lsass.bind.attempt' is checked but not ever set.
Warning: flowbits key 'trojan' is set but not ever checked.

[ snip ]

Rule application order: ->activation->dynamic->drop->alert->pass->log
Log directory = /var/log/snort

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.4.2 (Build 25)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.
 NOTE: Snort's default output has changed in version 2.4.1!
       The default logging mode is now PCAP, use "-K ascii" to activate
       the old default logging mode.

Snort sucessfully loaded all rules and checked all rule chains!
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
    finds: 0 reversed: 0(%0.000000)
    find_sucess: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting

Ellen Mitchell
Network Group
Texas A&M University

More information about the Snort-sigs mailing list