[Snort-users] File.swf.cff has 2 sections for flowbits?

wkitty42 at windstream.net wkitty42 at windstream.net
Thu Jun 14 08:30:23 EDT 2018


On 06/13/2018 09:29 PM, Gerry Carpinetti via Snort-users wrote:
> I have noticed some have flowbits in 2 different sections of a single line of 
> code for example:
> Flowbits:isset, file.swf; and again flowbits:set, file.swf.cff which is the 
> Warning is set but not ever checked.


look at that very closely... it is checking if the file.swf flowbit is set... if 
it is and the rest of the rule matches, then the file.swf.cff flowbit is also 
set... now you have two flowbits set... the first indicates there is a swf file 
and the second indicates the swf file is utilizing the "CFF Feature count"...


> So how are you going to handle one of these that has flowbits mentioned twice in 
> a single line and some have matching SID’s. So the question is which one are you 
> suppose to modify when a line has 2 sections for flowbits???


you don't modify any of them! you find at least one rule that has 
"isset,file.swf.cff" and enable it by removing the "#" from the beginning of its 
line...

in the rules sets that i have, that means enabling 25681 and/or 25683...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


More information about the Snort-users mailing list