[Snort-sigs] Flowbit Warnings

Alex McDonnell amcdonnell at sourcefire.com
Fri Jun 15 08:52:40 EDT 2018

The warning you have states file.cur is checked but not ever set. That
indicates to me that your issue is with rules that have flowbits:isset and
not rules that have flowbits:set.

sid:23499 is the only rule in the Talos rule set that checks for that
flowbit. it's in file-other.rules. The three setters for that are 23496
23497 and 23498 in file-fidentify.rules. All of those are old enough that
they are in the subscriber rule set which is free to everyone.

Hope that helps.


On Wed, Jun 13, 2018 at 12:44 PM, Gerry Carpinetti via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> I did some reading on flowbit warnings and how to fix them but after the
> changes I still receive the warnings. I used Notepad++ to open a rules
> file, than used Search -> Find In Files "selected the C:\Snort\rules folder
> than entered "flowbits:set" into the Find What box, I replaced all
> flowbits:set to flowbits:isset..
> No matter which .rules file I open and search for flowbits:set has been
> replaced with isset but yet I still get the WARNING: flowbits key
> 'file.cur' is checked but not ever set, as an example. Even if I do a
> direct search within the file-indentify.rules for flowbits:set none exist.
> Does this warning have to do with the flowbits:isnotset??
> Get Outlook for iOS <https://aka.ms/o0ukef>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
> Please visit http://blog.snort.org for the latest news about Snort!
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180615/6eb99c1e/attachment-0001.html>

More information about the Snort-sigs mailing list