Take a look at this blog post as well:

Sent from my iPhone

On Jun 13, 2018, at 13:45, Patrick Mullen (pamullen) via Snort-users <snort-users@lists.snort.org> wrote:



file.cur is checked in sid 23499 and set in sids 23496, 23497, and 23498.  If you have any of the sids 23496-23498 enabled but not 23499, you will get the warning that you are checking flowbit state without having any rules enabled that could set it.


Replacing all instances of "set" to "isset", in other words, from actually setting the flowbit to checking the flowbit, will of course result in a warning that a flowbit is checked but never set since you made all rules no longer set the flowbit.  Yes, "isset" is another check of flowbit state along with "isnotset", so those would also require a rule that could potentially set the flowbit to be enabled to not get that warning.








From: Gerry Carpinetti <carpinetti.gerry@outlook.com>
Date: Tuesday, June 12, 2018 at 10:02 PM
To: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: [Snort-users] Flowbits set to isset


I did some reading on flowbit warnings and how to fix them but after the changes I still receive the warnings. I used Notepad++ to open a rules file, than used Search -> Find In Files "selected the C:\Snort\rules folder than entered "flowbits:set" into the Find What box, I replaced all flowbits:set to flowbits:isset..


No matter which .rules file I open and search for flowbits:set has been replaced with isset but yet I still get the WARNING: flowbits key 'file.cur' is checked but not ever set, as an example. Even if I do a direct search within the file-indentify.rules for flowbits:set none exist.


Does this warning have to do with the flowbits:isnotset??

Snort-users mailing list
Go to this URL to change user options or unsubscribe:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette