[Snort-users] Flowbits warnings problem
datorr2 at gmail.com
Fri Aug 4 12:01:08 EDT 2017
I would not recommend changing "flowbits:noalert;" to
"flowbits:isset,file.m4v;" in those two rules.
The warnings you are receiving are just stating that you have rules that
declare a flowbits variable of "file.m4v" that you never use. This is
okay. It is more of a "diagnostic" message more than anything else.
The "flowbits:noalert;" means that if a packet in a given tcp stream
matches that signature, do not fire an alert. The rule is still active,
but it just won't fire an alert. This is used typically when you want one
signature to set a flowbits variable and not alert, then have another
signature later on that will check traffic occurring later that will also
check if the flowbits variable is true.
Here's an example:
alert tcp any any -> any any (msg:"SYN Packet - Do not alert";
flowbits:set,tcp_syn,three_way_handshake; flowbits:noalert; sid:1; rev:1;)
alert tcp any any -> any any (msg:"SYN+ACK Packet - Do not alert";
flowbits:set,tcp_synack,three_way_handshake; flowbits:noalert; sid:2;
alert tcp any any -> any any (msg:"TCP Connection Established - Alert";
flowbits:isset,all,three_way_handshake; flow:to_server; flags:A;
flowbits:unset,all,three_way_handshake; sid:3; rev:1;)
Using these signatures, the only one that will ever "alert" will be the
third one, because the first and second use the "flowbits:noalert;".
To satisfy those warnings, you can make a rule that uses the flowbits that
they set. In the example of the "file.m4v":
alert tcp any any -> any any (msg:"Buffer overflow attempt on Firefox
GStreamer - CVE-2015-0797"; flowbits:isset,file.m4v;
flow:established,from_server; content:"BAD_STUFF_HERE"; ... sid:1000000;
But my recommendation is to either leave those rules as they are and ignore
the warnings, or just disable those rules using pulledpork because you have
no rules that rely on the flowbits that they set.
I hope this helps!
On Fri, Aug 4, 2017 at 11:17 AM, Anna <Anna at sonru.com> wrote:
> Snort: 220.127.116.11
> PulledPork: 0.7.3
> I know this problem come up before but I have those flowbits Warnings
> WARNING: flowbits key ‘file.m4v' is set but not ever checked.
> WARNING: flowbits key 'smb.trans2.get_dfs_referral' is set but not ever
> WARNING: flowbits key 'tivoli.backup' is set but not ever checked.
> I am using PulledPork yet it is still not setting all the flowbits right
> I read the blog post by Joel Esler http://blog.snort.org/
> I have question - how to set them right manually?
> Found the strings that have those flowbits
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V
> file attachment detected"; flow:to_server,established; content:".m4v";
> fast_pattern:only; content:"Content-Disposition: attachment|3B|";
> content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i";
> *flowbits:set,file.m4v*; flowbits:noalert; metadata:policy max-detect-ips
> drop, service smtp; classtype:misc-activity; sid:22980; rev:10;)
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established;
> file_data; content:"ftypM4V"; depth:7; offset:4; nocase;
> * flowbits:set,file.m4v*; flowbits:noalert; metadata:policy
> max-detect-ips drop, service ftp-data, service http, service imap, service
> pop3; classtype:misc-activity; sid:24818; rev:8;)
> is this can be corrected by changing
> flowbits:isset,file.m4v; in this string?
> I would like to make sure before I will manually change any rule
> Thank you
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users