[Snort-users] Flowbits warnings problem

Anna Anna at sonru.com
Fri Aug 4 11:17:25 EDT 2017


Hello,

Snort: 2.9.9.0
PulledPork: 0.7.3

I know this problem come up before but I have those flowbits Warnings 

WARNING: flowbits key ‘file.m4v' is set but not ever checked.
WARNING: flowbits key 'smb.trans2.get_dfs_referral' is set but not ever checked.
WARNING: flowbits key 'tivoli.backup' is set but not ever checked.

I am using PulledPork yet it is still not setting all the flowbits right

I read the blog post by Joel Esler http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html <http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html>

I have question - how to set them right manually?

Found the strings that have those flowbits

eg.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V file attachment detected"; flow:to_server,established; content:".m4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i"; flowbits:set,file.m4v; flowbits:noalert; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:22980; rev:10;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established; file_data; content:"ftypM4V"; depth:7; offset:4; nocase; flowbits:set,file.m4v; flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24818; rev:8;)


is this can be corrected by changing

 flowbits:noalert;

to

flowbits:isset,file.m4v;  in this string?

I would like to make sure before I will manually change any rule

Thank you

ANNA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170804/f3945e3d/attachment.html>


More information about the Snort-users mailing list