[Snort-users] Warning: flowbits key 'realplayer.playlist' is checked but not ever set.

Brian bmc at ...950...
Mon Aug 23 08:16:09 EDT 2004


On Wed, Aug 18, 2004 at 09:01:15AM -0500, Lance Boon wrote:
> I just upgraded one of my sensors to 2.2.0 from 2.1.3. When I issue
> the command kill -SIGUSR1 pid, then tail var/log/messages I notice
> something that I've never seen before. I see the following message
> "Warning: flowbits key 'realplayer.playlist' is checked but not ever
> set." What exactly is this referring to? Snort starts successfully
> and logs alerts to my remote mysql server so I'm not sure if this is
> something to be concerned about.

New rules can tie to each other via the flow preprocessor using the
flowbits keyword.

Some of the rules that are tied together via flowbits show up in
different categories.  There are rules that check the realplayer
playlists for buffer overflows, but since they validate client side
data, the rule makes sure that the data we are looking from a
realplayer playlist request.

turn on multimedia.rules and then that warning won't show up.

-b




More information about the Snort-users mailing list