[Snort-users] Flowbit Dependencies

Photius Orfanidis photiorfanidis at telstra.com
Wed Sep 20 10:36:59 EDT 2017


Hi Dave!

If you want a really easy setup and network configuration try using Snort with pfSense. It works like a charm without any errors even with advanced configuration(s) in my experience.

Cheers :)

Photius

> On 20 Sep 2017, at 10:58 pm, Sam Hodgson <sam.hodgson at perfect-image.co.uk> wrote:
> 
> Hi All,
> 
> 
> Snortnoob here, have it up and running on Centos 7 however seeing lots of this on startup:
> 
> 
> WARNING: flowbits key 'file.search-ms' is set but not ever checked.
> WARNING: flowbits key 'file.flac' is set but not ever checked.
> 328 out of 1024 flowbits in use.
> 
> Im running pulledpork which updates without error, i understand it would potentially automatically resolve the above however not the case for some reason.
> 
> 
> The large majority of the unchecked flowbits are file.xxx and as a test case I can see that file.flac is referenced multiple times in /etc/snort/rules/file-multimedia.rules
> 
> 
> 
> 
> # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC picture metadata buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12745; rev:13;)
> 
> Upon updating i see:
> 
> 
> 
> Rule Stats...
>         New:-------10561
>         Deleted:---0
>         Enabled Rules:----11067
>         Dropped Rules:----0
>         Disabled Rules:---32670
>         Total Rules:------43737
> 
> 
> I've read that not all are enabled by default out of the box for performance reasons is that correct? and is that the reason behind the flowbit warnings?
> 
> 
> 
> Any input is greatly appreciated!
> 
> 
> 
> Thanks
> 
> 
> 
> Sam
> 
> 
> 
> 
> 
> Save paper, please think twice before printing this email.
> 
> Equinox House | Cobalt 3.2 | Cobalt Business Park | Silver Fox Way | North Tyneside | Newcastle upon Tyne | NE27 0QJ 
> T. 0191 238 0111 | F. 0191 238 0127 | Service Desk Direct Line. 0191 238 0121
> Perfect Image Ltd. Registered in England & Wales. Company Registration Number: 2650067
> Registered Office: Equinox House, Cobalt 3.2, Cobalt Business Park, Silver Fox Way, North Tyneside, Newcastle upon Tyne, NE27 0QJ 
> 
> This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of Perfect Image Ltd. If you are not the intended recipient, please notify us at info at perfect-image.co.uk and be advised that you have received this mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170921/c6b68a62/attachment.html>


More information about the Snort-users mailing list