[Snort-users] help with WARNING: flowbits key

Joel Esler (jesler) jesler at ...589...
Mon Jun 16 13:46:49 EDT 2014

On Jun 16, 2014, at 1:37 PM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:
On 6/14/2014 5:01 AM, hernani wrote:

Em 13-06-2014 19:59, waldo kitty escreveu:
On 6/13/2014 6:23 AM, hernani wrote:

how can i remove this warning --->
all of those are "flowbit XXXX set but not ever checked." so either enable the
rules that check those flowbits *OR* disable the rules listed that set those


where can i find this rules ?
i use snort base mysql barnyard2 on snort-

grep (or any other text search tool) is your friend... you tell it to search
your *.rules files for the flowbit set pattern...

eg: grep -i -E "flowbits:set,flowbit.here;" /path/to/snort/rules/*.rules

where "flowbit.here" would be the flowbits from your warning list...

eg: grep -i -E "flowbits:set,file\.abc;" /path/to/snort/rules/*.rules
    grep -i -E "flowbits:set,imap\.cram\.md5;" /path/to/snort/rules/*.rules
    grep -i -E "flowbits:set,file\.fon;" /path/to/snort/rules/*.rules

the results of the search will tell you which file the pattern is found in and
what the SID of the rule is because it prints out the whole line containing the

Some of these were fixed on Friday, so you should see these errors go away.  There are a couple, however, that can only be fixed by using PulledPork.

Going forward, we are only supporting pulledpork, when it comes to downloading rules, etc from Snort.org<http://Snort.org>, so if you aren’t tranisitioned to pulledpork yet, you may want to think about doing this.

More details will be coming in a blog post for official announcements, but just my 0.02 here.

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140616/66a8e4b7/attachment.html>

More information about the Snort-users mailing list