[Snort-sigs] Flowbit Warnings

Felix Rodríguez frodriguez at isertec.com
Fri Jun 15 11:38:48 EDT 2018


can you get me out of the mail chain please


On Fri, Jun 15, 2018 at 9:35 AM, <wkitty42 at windstream.net> wrote:

> On 06/13/2018 12:44 PM, Gerry Carpinetti via Snort-sigs wrote:
>
>> I did some reading on flowbit warnings and how to fix them but after the
>> changes I still receive the warnings. I used Notepad++ to open a rules
>> file, than used Search -> Find In Files "selected the C:\Snort\rules folder
>> than entered "flowbits:set" into the Find What box, I replaced all
>> flowbits:set to flowbits:isset..
>>
>
>
> wasn't this already discussed in snort-users? you were answered over
> there... one of those answers was mine...
>
>
> from that topic:
> 1. when you edited those rules, you broke them...
> 2. there are two rules that you can enable that will stop those warnings...
> 3. here is my response to you in snort-users where the original discussion
> took place...
>
> ----->8 snip 8<-----
> On 06/13/2018 09:29 PM, Gerry Carpinetti via Snort-users wrote:
>
>> I have noticed some have flowbits in 2 different sections of a single
>> line of> code for example: Flowbits:isset, file.swf; and again flowbits:set,
>> file.swf.cff which is the Warning is set but not ever checked.
>>
>
> look at that very closely... it is checking if the file.swf flowbit is
> set... if it is and the rest of the rule matches, then the file.swf.cff
> flowbit is also set... now you have two flowbits set... the first indicates
> there is a swf file and the second indicates the swf file is utilizing the
> "CFF Feature count"...
>
>
> So how are you going to handle one of these that has flowbits mentioned
>> twice in a single line and some have matching SID’s. So the question is
>> which
>> one are you suppose to modify when a line has 2 sections for flowbits???
>>
>
> you don't modify any of them! you find at least one rule that has
> "isset,file.swf.cff" and enable it by removing the "#" from the beginning
> of its line...
>
> in the rules sets that i have, that means enabling 25681 and/or 25683...
> ----->8 snip 8<-----
>
>
>
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        *Please keep mailing list traffic on the list unless*
>        *a signed and pre-paid contract is in effect with us.*
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>



-- 


Felix Rodriguez
*Especialista Redes*
p: +502 2427 2493 <+50224272427>
m: +502 4008 5501 <+50250023434>
a: Calz.Atanasio Tzul 19-97 z.12 El Cortijo 1 Int. 217 Guatemala, C.A.
<http://click.icptrack.com/icp/relay.php?r=109655481&msgid=848682&act=ABG2&c=672787&destination=https%3A%2F%2Fwww.google.com.gt%2Fmaps%2Fplace%2FIsertec%2C%2BS.A.%2F%4014.5924713%2C-90.5415648%2C17z%2Fdata%3D%213m1%214b1%214m5%213m4%211s0x8589a16967d8b703%3A0xd915f90e3508d385%218m2%213d14.5924713%214d-90.5393761%3Fhl%3Den>
w: www.isertec.com
<http://click.icptrack.com/icp/relay.php?r=109655481&msgid=848682&act=ABG2&c=672787&destination=http%3A%2F%2Fwww.isertec.com%2F>
e: frodriguez at isertec.com <info at isertec.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180615/f543e313/attachment-0001.html>


More information about the Snort-sigs mailing list