[Snort-users] help with WARNING: flowbits key
wkitty42 at ...14940...
Mon Jun 16 13:37:34 EDT 2014
On 6/14/2014 5:01 AM, hernani wrote:
> Em 13-06-2014 19:59, waldo kitty escreveu:
>> On 6/13/2014 6:23 AM, hernani wrote:
>>> how can i remove this warning --->
>> all of those are "flowbit XXXX set but not ever checked." so either enable the
>> rules that check those flowbits *OR* disable the rules listed that set those
> where can i find this rules ?
> i use snort base mysql barnyard2 on snort-220.127.116.11
grep (or any other text search tool) is your friend... you tell it to search
your *.rules files for the flowbit set pattern...
eg: grep -i -E "flowbits:set,flowbit.here;" /path/to/snort/rules/*.rules
where "flowbit.here" would be the flowbits from your warning list...
eg: grep -i -E "flowbits:set,file\.abc;" /path/to/snort/rules/*.rules
grep -i -E "flowbits:set,imap\.cram\.md5;" /path/to/snort/rules/*.rules
grep -i -E "flowbits:set,file\.fon;" /path/to/snort/rules/*.rules
the results of the search will tell you which file the pattern is found in and
what the SID of the rule is because it prints out the whole line containing the
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users