[Snort-users] disabled flowbits?

waldo kitty wkitty42 at ...14940...
Thu Aug 26 14:22:21 EDT 2010


On 8/26/2010 12:31, Russ Combs wrote:
> On Thu, Aug 19, 2010 at 1:44 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>     can someone please explain why these broken SIDs are not also disabled when the
>     required flowbit setting SID is disabled??
>
> Unfortunately, Snort doesn't automatically disable such rules, but the warnings
> are there to help you fix the problem as you see fit.  We do have a bug on this,
> but it is low priority.
>
> VRT can address the specific cases in question.

i don't know if my main point was as apparent as i thought it was so i'll try it 
again with different verbiage...

VRT has disabled the flowbit set rules by default. VRT has created this problem 
where the below quoted rules are broken by default... if VRT, by default, 
disables rules that set flowbits, VRT should also, by default, disable all rules 
that use that flowbit...

make sense??

thanks for your response! :)

>
> Russ
>
>
>
>     WARNING: SID 13865 depends on flowbit "http.bmp" which is set in INACTIVE SID
>     16205 (SID 13865 is broken unless you also enable SID 16205).
>
>     WARNING: SID 13712 depends on flowbit "tlsv1.client_hello.request" which is set
>     in INACTIVE SID 3059 (SID 13712 is broken unless you also enable SID 3059).
>
>     WARNING: SID 13711 depends on flowbit "tlsv1.client_hello.request" which is set
>     in INACTIVE SID 3059 (SID 13711 is broken unless you also enable SID 3059).
>
>     WARNING: SID 13714 depends on flowbit "tlsv1.client_hello.request" which is set
>     in INACTIVE SID 3059 (SID 13714 is broken unless you also enable SID 3059).
>
>     WARNING: SID 13710 depends on flowbit "tlsv1.client_hello.request" which is set
>     in INACTIVE SID 3059 (SID 13710 is broken unless you also enable SID 3059).
>
>     WARNING: SID 13585 depends on flowbit "csv.download" which is set in INACTIVE
>     SID 13584 (SID 13585 is broken unless you also enable SID 13584).
>
>     WARNING: SID 13713 depends on flowbit "tlsv1.client_hello.request" which is set
>     in INACTIVE SID 3059 (SID 13713 is broken unless you also enable SID 3059).




More information about the Snort-users mailing list