[Snort-users] Flowbit Dependencies

Sam Hodgson sam.hodgson at perfect-image.co.uk
Wed Sep 20 08:58:15 EDT 2017


Hi All,


Snortnoob here, have it up and running on Centos 7 however seeing lots of this on startup:


WARNING: flowbits key 'file.search-ms' is set but not ever checked.
WARNING: flowbits key 'file.flac' is set but not ever checked.
328 out of 1024 flowbits in use.


Im running pulledpork which updates without error, i understand it would potentially automatically resolve the above however not the case for some reason.


The large majority of the unchecked flowbits are file.xxx and as a test case I can see that file.flac is referenced multiple times in /etc/snort/rules/file-multimedia.rules


# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC picture metadata buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12745; rev:13;)

Upon updating i see:


Rule Stats...
        New:-------10561
        Deleted:---0
        Enabled Rules:----11067
        Dropped Rules:----0
        Disabled Rules:---32670
        Total Rules:------43737



I've read that not all are enabled by default out of the box for performance reasons is that correct? and is that the reason behind the flowbit warnings?


Any input is greatly appreciated!


Thanks


Sam



________________________________

Save paper, please think twice before printing this email.

Equinox House | Cobalt 3.2 | Cobalt Business Park | Silver Fox Way | North Tyneside | Newcastle upon Tyne | NE27 0QJ
T. 0191 238 0111 | F. 0191 238 0127 | Service Desk Direct Line. 0191 238 0121
Perfect Image Ltd. Registered in England & Wales. Company Registration Number: 2650067
Registered Office: Equinox House, Cobalt 3.2, Cobalt Business Park, Silver Fox Way, North Tyneside, Newcastle upon Tyne, NE27 0QJ

This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of Perfect Image Ltd. If you are not the intended recipient, please notify us at info at perfect-image.co.uk and be advised that you have received this mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170920/41a1a24d/attachment.html>


More information about the Snort-users mailing list