<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hello,<div class=""><br class=""></div><div class="">Snort: 2.9.9.0</div><div class="">PulledPork: 0.7.3</div><div class=""><br class=""></div><div class="">I know this problem come up before but I have those flowbits Warnings </div><div class=""><br class=""></div><div class=""><div class="">WARNING: flowbits key â€˜file.m4v' is set but not ever checked.</div><div class="">WARNING: flowbits key 'smb.trans2.get_dfs_referral' is set but not ever checked.</div><div class="">WARNING: flowbits key 'tivoli.backup' is set but not ever checked.</div></div><div class=""><br class=""></div><div class="">I am using PulledPork yet it is still not setting all the flowbits right</div><div class=""><br class=""></div><div class="">I read the blog post by Joel Esler <a href="http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html" class="">http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html</a></div><div class=""><br class=""></div><div class="">I have question - how to set them right manually?</div><div class=""><br class=""></div><div class="">Found the strings that have those flowbits</div><div class=""><br class=""></div><div class="">eg.</div><div class=""><br class=""></div><div class=""><div class="">alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY M4V file attachment detected"; flow:to_server,established; content:".m4v"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2em4v/i"; <b class="">flowbits:set,file.m4v</b>; flowbits:noalert; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:22980; rev:10;)</div><div class="">alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established; file_data; content:"ftypM4V"; depth:7; offset:4; nocase;<b class=""> flowbits:set,file.m4v</b>; flowbits:noalert; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24818; rev:8;)</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">is this can be corrected by changing</div><div class=""><br class=""></div><div class=""> flowbits:noalert;</div><div class=""><br class=""></div><div class="">to</div><div class=""><br class=""></div><div class="">flowbits:isset,file.m4v;  in this string?</div><div class=""><br class=""></div><div class="">I would like to make sure before I will manually change any rule</div><div class=""><br class=""></div><div class=""><div class=""><div class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class="">Thank you</div><div class=""><b class="" style="font-family: Arial, Helvetica, San-Serif; font-size: 11px; text-transform: uppercase; letter-spacing: 2px;"><br class=""></b></div><div class=""><b class="" style="font-family: Arial, Helvetica, San-Serif; font-size: 11px; text-transform: uppercase; letter-spacing: 2px;">ANNA</b></div></div></div></div></div></body></html>