[Snort-users] help with WARNING: flowbits key
Joel Esler (jesler)
jesler at ...589...
Mon Jun 16 13:46:49 EDT 2014
On Jun 16, 2014, at 1:37 PM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:
On 6/14/2014 5:01 AM, hernani wrote:
Em 13-06-2014 19:59, waldo kitty escreveu:
On 6/13/2014 6:23 AM, hernani wrote:
how can i remove this warning --->
all of those are "flowbit XXXX set but not ever checked." so either enable the
rules that check those flowbits *OR* disable the rules listed that set those
where can i find this rules ?
i use snort base mysql barnyard2 on snort-18.104.22.168
grep (or any other text search tool) is your friend... you tell it to search
your *.rules files for the flowbit set pattern...
eg: grep -i -E "flowbits:set,flowbit.here;" /path/to/snort/rules/*.rules
where "flowbit.here" would be the flowbits from your warning list...
eg: grep -i -E "flowbits:set,file\.abc;" /path/to/snort/rules/*.rules
grep -i -E "flowbits:set,imap\.cram\.md5;" /path/to/snort/rules/*.rules
grep -i -E "flowbits:set,file\.fon;" /path/to/snort/rules/*.rules
the results of the search will tell you which file the pattern is found in and
what the SID of the rule is because it prints out the whole line containing the
Some of these were fixed on Friday, so you should see these errors go away. There are a couple, however, that can only be fixed by using PulledPork.
Going forward, we are only supporting pulledpork, when it comes to downloading rules, etc from Snort.org<http://Snort.org>, so if you aren’t tranisitioned to pulledpork yet, you may want to think about doing this.
More details will be coming in a blog post for official announcements, but just my 0.02 here.
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users