[Snort-users] Flowbits warnings problem
Anna at sonru.com
Fri Aug 4 11:17:25 EDT 2017
I know this problem come up before but I have those flowbits Warnings
WARNING: flowbits key ‘file.m4v' is set but not ever checked.
WARNING: flowbits key 'smb.trans2.get_dfs_referral' is set but not ever checked.
WARNING: flowbits key 'tivoli.backup' is set but not ever checked.
I am using PulledPork yet it is still not setting all the flowbits right
I read the blog post by Joel Esler http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html <http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html>
I have question - how to set them right manually?
Found the strings that have those flowbits
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V file attachment detected"; flow:to_server,established; content:".m4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i"; flowbits:set,file.m4v; flowbits:noalert; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:22980; rev:10;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established; file_data; content:"ftypM4V"; depth:7; offset:4; nocase; flowbits:set,file.m4v; flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24818; rev:8;)
is this can be corrected by changing
flowbits:isset,file.m4v; in this string?
I would like to make sure before I will manually change any rule
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users