[Snort-users] disabled flowbits?

waldo kitty wkitty42 at ...14940...
Thu Aug 26 14:31:19 EDT 2010


On 8/26/2010 12:39, JJ Cummings wrote:
> Pulledpork checks these dependencies for you when you use it to manage your ruleset.

yes, oinkmaster told me about them and that's where the quoted WARNINGs came from ;)

> Sent from the iRoad
>
> On Aug 26, 2010, at 10:31, Russ Combs <rcombs at ...1935...
> <mailto:rcombs at ...1935...>> wrote:
>
>> On Thu, Aug 19, 2010 at 1:44 PM, waldo kitty <
>> <mailto:wkitty42 at ...14940...>wkitty42 at ...14940...
>> <mailto:wkitty42 at ...14940...>> wrote:
>>
>>     can someone please explain why these broken SIDs are not also disabled
>>     when the required flowbit setting SID is disabled??
>>
>> Unfortunately, Snort doesn't automatically disable such rules, but the
>> warnings are there to help you fix the problem as you see fit. We do have a
>> bug on this, but it is low priority.
>>
>> VRT can address the specific cases in question.
>>
>> Russ
>>
>>
>>
>>     WARNING: SID 13865 depends on flowbit "http.bmp" which is set in INACTIVE SID
>>     16205 (SID 13865 is broken unless you also enable SID 16205).
>>
>>     WARNING: SID 13712 depends on flowbit "tlsv1.client_hello.request" which
>>     is set
>>     in INACTIVE SID 3059 (SID 13712 is broken unless you also enable SID 3059).
>>
>>     WARNING: SID 13711 depends on flowbit "tlsv1.client_hello.request" which
>>     is set
>>     in INACTIVE SID 3059 (SID 13711 is broken unless you also enable SID 3059).
>>
>>     WARNING: SID 13714 depends on flowbit "tlsv1.client_hello.request" which
>>     is set
>>     in INACTIVE SID 3059 (SID 13714 is broken unless you also enable SID 3059).
>>
>>     WARNING: SID 13710 depends on flowbit "tlsv1.client_hello.request" which
>>     is set
>>     in INACTIVE SID 3059 (SID 13710 is broken unless you also enable SID 3059).
>>
>>     WARNING: SID 13585 depends on flowbit "csv.download" which is set in INACTIVE
>>     SID 13584 (SID 13585 is broken unless you also enable SID 13584).
>>
>>     WARNING: SID 13713 depends on flowbit "tlsv1.client_hello.request" which
>>     is set
>>     in INACTIVE SID 3059 (SID 13713 is broken unless you also enable SID 3059).





More information about the Snort-users mailing list