[Snort-users] permission issue

waldo kitty wkitty42 at ...14940...
Fri Apr 12 11:21:27 EDT 2013


On 4/10/2013 16:59, Balla István wrote:
> Thanks Jarrett,
>
> I didnt pay attention to the last command. that caused the problem. it is fixed.
> I havent found explanation for the following warning msgs in snort documentation:
>
> Verifying Preprocessor Configurations!
> ICMP tracking disabled, no ICMP sessions allocated
> IP tracking disabled, no IP sessions allocated

see below for my response to the above tracking disabled notifications...

note: i'm rearranging the following flowbits notifications to group them all 
together rather than them being intermingled...

> WARNING: flowbits key 'file.pecompact' is set but not ever checked.
> WARNING: flowbits key 'flags.fin' is set but not ever checked.
> WARNING: flowbits key 'file.docm' is set but not ever checked.
> WARNING: flowbits key 'sybase.tds.connection' is set but not ever checked.
> WARNING: flowbits key 'file.cov' is set but not ever checked.
> WARNING: flowbits key 'file.vqf' is set but not ever checked.
> WARNING: flowbits key 'smb.smi' is set but not ever checked.
> WARNING: flowbits key 'file.maki' is set but not ever checked.
> WARNING: flowbits key 'smb.trans2.fileinfo' is set but not ever checked.
> WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked.
> WARNING: flowbits key 'file.ppsx' is set but not ever checked.
> WARNING: flowbits key 'file.tiff.big' is set but not ever checked.
> WARNING: flowbits key 'file.rar' is set but not ever checked.
> WARNING: flowbits key 'file.xlsx' is set but not ever checked.
> WARNING: flowbits key 'file.swf.cff' is set but not ever checked.
> WARNING: flowbits key 'file.emf' is set but not ever checked.
> WARNING: flowbits key 'acunetix.scanner' is set but not ever checked.
> WARNING: flowbits key 'ms.packager' is set but not ever checked.
> WARNING: flowbits key 'file.wma' is set but not ever checked.

the above warnings are telling you that you have rules that SET the named 
flowbits but there are no *enabled* rules that CHECK the named flowbit... that 
means that while they are being set, there are no other rules that will react to 
the named flowbits... these rules aren't really useless but they would be better 
utilized by enabling the rules that check those named flowbits... if you do not 
want those other rules enabled, then you should disable the ones that set these 
flowbits...


 > WARNING: flowbits key 'file.bzip' is checked but not ever set.
 > WARNING: flowbits key 'file.mpeg' is checked but not ever set.

these above are telling you that you have rules that CHECK the named flowbit but 
there are no *enabled* rules that SET the named flowbits... that means that 
those rules are useless since the flowbit is never set in the first place... 
either locate and disable the checking rules for those named flowbits or locate 
and enable the setting rules for those named flowbits...


> Do you think these r generated when there is no traffic through snort interfaces?

no... the two "tracking disabled" ones are related to your snort.conf 
settings... their messages are pretty plain... you have not allocated any 
sessions or session space for them in your conf...




More information about the Snort-users mailing list