[Snort-users] Flowbits set to isset

Patrick Mullen (pamullen) pamullen at cisco.com
Wed Jun 13 13:38:28 EDT 2018


file.cur is checked in sid 23499 and set in sids 23496, 23497, and 23498.  If you have any of the sids 23496-23498 enabled but not 23499, you will get the warning that you are checking flowbit state without having any rules enabled that could set it.

Replacing all instances of "set" to "isset", in other words, from actually setting the flowbit to checking the flowbit, will of course result in a warning that a flowbit is checked but never set since you made all rules no longer set the flowbit.  Yes, "isset" is another check of flowbit state along with "isnotset", so those would also require a rule that could potentially set the flowbit to be enabled to not get that warning.



From: Gerry Carpinetti <carpinetti.gerry at outlook.com>
Date: Tuesday, June 12, 2018 at 10:02 PM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [Snort-users] Flowbits set to isset

I did some reading on flowbit warnings and how to fix them but after the changes I still receive the warnings. I used Notepad++ to open a rules file, than used Search -> Find In Files "selected the C:\Snort\rules folder than entered "flowbits:set" into the Find What box, I replaced all flowbits:set to flowbits:isset..

No matter which .rules file I open and search for flowbits:set has been replaced with isset but yet I still get the WARNING: flowbits key 'file.cur' is checked but not ever set, as an example. Even if I do a direct search within the file-indentify.rules for flowbits:set none exist.

Does this warning have to do with the flowbits:isnotset??
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180613/07f71678/attachment.html>

More information about the Snort-users mailing list