[Snort-users] snort install info hyperlink

Peter Bates peter.bates at ...15381...
Tue Oct 16 04:03:50 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 16/10/2012 07:50, kevin zhang wrote:
> hello all
> OS:CENTOS 6.3 X64
> SNORT 2.9.3.1
> I run snort in IDS mode ,,there have a little WARNING

> WARNING: flowbits key 'file.autodesk_max' is set but not ever checked.
> WARNING: flowbits key 'file.crx' is set but not ever checked.

This is mostly just a WARNING that can be safely ignored - the rule
will still trigger (unless it has been set to noalert in the rule itself).

> WARNING: flowbits key 'backdoor.y3krat_15.client.response' is checked
> but not ever set.
> WARNING: flowbits key 'dce.spoolss.4.call' is checked but not ever set.

These are slightly different - these rules will never fire because they're
looking for flowbits that, as the message says, are never set.

I'd recommend you use PulledPork to manage your rules as this handles the
flowbit resolution for you - however you do still see the first type
(set but not ever checked) but you shouldn't see the second when using PP.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQfRTmAAoJELhVoVpEMS6RKv4IAKpG9rrr8g+04KrYQeRpxtdk
spKKeO6j02TnA1bmrsVkVqO92iOR+c/cUpDzmFXrt3ukQzFZ+yN6UkOI9bE9KvCf
ghLOkJ648AuHwydedb5PP/OQ8ysGbgVTrTA5CRu9LzxvO1SpsMwN+5thFFVphTym
Z3+GStLTpHYfCQO8G+rQli71fcZHwlHU8bLlCDC2GzRj3QJqyFSVLD6d8qrZSS3P
Kv2LOfnUh7plb8kLv3OZAEyu9y6AFsBBZbjjCpaO59rI8Nk70QiRSEvQc6EWlaLI
YpXSIv4r0MjI+CJnwSOZG6AYfykenIJFWdbMthmH2b2eurJsGSbxdLsiS7c+4PU=
=1kAy
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list