Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] help with WARNING: flowbits key
764 views
Skip to first unread message
hernani
Jun 13, 2014, 6:23:58 AM6/13/14
to
hello,
how can i remove this warning --->
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.abc'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'imap.cram_md5' is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.fon'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.xwd'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.mp3'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.wav'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.maki'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'cocsoft.stream' is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'file.pecompact' is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.fpx'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.wma'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.png'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.asf'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'hornet.4'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'hplogin' is
set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.nab'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.xps'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'file.wmp_playlist' is checked but not ever set.
thanks
hernani coelho
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
how can i remove this warning --->
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.abc'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'imap.cram_md5' is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.fon'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.xwd'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.mp3'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.wav'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.maki'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'cocsoft.stream' is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'file.pecompact' is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.fpx'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.wma'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.png'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.asf'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'hornet.4'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'hplogin' is
set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.nab'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.xps'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'file.wmp_playlist' is checked but not ever set.
thanks
hernani coelho
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
waldo kitty
Jun 13, 2014, 2:59:14 PM6/13/14
to
On 6/13/2014 6:23 AM, hernani wrote:
> hello,
>
> how can i remove this warning --->
all of those are "flowbit XXXX set but not ever checked." so either enable the
> hello,
>
> how can i remove this warning --->
rules that check those flowbits *OR* disable the rules listed that set those
flowbits...
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
Joel Esler (jesler)
Jun 13, 2014, 3:59:31 PM6/13/14
to
Are you using pulledpork to manage your ruleset? I suggest that you do, as pulledpork should fix these dependency problems.
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
On Jun 13, 2014, at 6:23 AM, hernani <coelho....@sapo.pt> wrote:
hello,
how can i remove this warning --->
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.abc'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'imap.cram_md5' is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.fon'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.xwd'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.mp3'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.wav'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.maki'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'cocsoft.stream' is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'file.pecompact' is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.fpx'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.wma'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.png'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.asf'
is checked but not ever set.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'hornet.4'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'hplogin' is
set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.nab'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.xps'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'file.wmp_playlist' is checked but not ever set.
thanks
hernani coelho
hernani
Jun 14, 2014, 5:01:07 AM6/14/14
to
Em 13-06-2014 19:59, waldo kitty escreveu:
> On 6/13/2014 6:23 AM, hernani wrote:
>> hello,
>>
>> how can i remove this warning --->
>> hello,
>>
>> how can i remove this warning --->
> all of those are "flowbit XXXX set but not ever checked." so either enable the
> rules that check those flowbits *OR* disable the rules listed that set those
> flowbits...
>
hello,
> rules that check those flowbits *OR* disable the rules listed that set those
> flowbits...
>
where can i find this rules ?
i use snort base mysql barnyard2 on snort-2.9.6.1
thank you
hernani
hernani
Jun 14, 2014, 12:20:11 PM6/14/14
to
hello Joel,
i install pulledpork but tell me the rules are match and dont fix dependencies
were is the output
Checking latest MD5 for snortrules-snapshot-2961.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
They Match
Done!
IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf....
Reading IP List...
Checking latest MD5 for opensource.gz....
They Match
Done!
Writing Blacklist File /usr/local/snort/rules/default.blacklist....
Writing Blacklist Version 895836774 to /usr/local/snort/rules/iplistsIPRVersion.dat....
Fly Piggy Fly!
thanks
hernani coelho
i install pulledpork but tell me the rules are match and dont fix dependencies
were is the output
Checking latest MD5 for snortrules-snapshot-2961.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
They Match
Done!
IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf....
Reading IP List...
Checking latest MD5 for opensource.gz....
They Match
Done!
Writing Blacklist File /usr/local/snort/rules/default.blacklist....
Writing Blacklist Version 895836774 to /usr/local/snort/rules/iplistsIPRVersion.dat....
Fly Piggy Fly!
thanks
hernani coelho
Em 13-06-2014 20:59, Joel Esler
(jesler) escreveu:
Are you using pulledpork to manage your ruleset? I suggest that you do, as pulledpork should fix these dependency problems.
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
On Jun 13, 2014, at 6:23 AM, hernani <coelho....@sapo.pt> wrote:
hello,
how can i remove this warning --->
set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.nab'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key 'file.xps'
is set but not ever checked.
Jun 13 11:17:08 hernani snort[13332]: WARNING: flowbits key
'file.wmp_playlist' is checked but not ever set.
thanks
hernani coelho
hernani
Jun 15, 2014, 11:12:08 AM6/15/14
to
hello,
i dont have restart pc after install pulledpork,
now give me this -->
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
i dont have restart pc after install pulledpork,
now give me this -->
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2961.tar.gz....
Rules tarball download of snortrules-snapshot-2961.tar.gz....
They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
Rules tarball download of community-rules.tar.gz....
They Match
Done!
IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf....
Reading IP List...
Checking latest MD5 for opensource.gz....
Rules tarball download of opensource.gz....
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from opensource.gz for work....
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2961.tar.gz for work....
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
An error occurred: WARNING: ip4 normalizations disabled because not inline.
An error occurred: WARNING: tcp normalizations disabled because not inline.
An error occurred: WARNING: icmp4 normalizations disabled because not inline.
An error occurred: WARNING: ip6 normalizations disabled because not inline.
An error occurred: WARNING: icmp6 normalizations disabled because not inline.
Done
Reading rules...
Reading rules...
Writing Blacklist File /usr/local/snort/rules/default.blacklist....
Writing Blacklist Version 942760505 to /usr/local/snort/rules/iplistsIPRVersion.dat....
Setting Flowbit State....
Enabled 114 flowbits
Done
Writing /usr/local/snort/rules/teste.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /usr/local/snort/etc/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats...
New:-------46
Deleted:---16
Enabled Rules:----21167
Dropped Rules:----0
Disabled Rules:---19609
Total Rules:------40776
IP Blacklist Stats...
Total IPs:-----839
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
i dont know if this is right but dont fix dependencies flowbits
someone can help me?
thanks
hernani coelho
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz....
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from opensource.gz for work....
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Prepping rules from snortrules-snapshot-2961.tar.gz for work....
Done!
Prepping rules from community-rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
An error occurred: WARNING: ip4 normalizations disabled because not inline.
An error occurred: WARNING: tcp normalizations disabled because not inline.
An error occurred: WARNING: icmp4 normalizations disabled because not inline.
An error occurred: WARNING: ip6 normalizations disabled because not inline.
An error occurred: WARNING: icmp6 normalizations disabled because not inline.
Done
Reading rules...
Reading rules...
Writing Blacklist File /usr/local/snort/rules/default.blacklist....
Writing Blacklist Version 942760505 to /usr/local/snort/rules/iplistsIPRVersion.dat....
Setting Flowbit State....
Enabled 114 flowbits
Done
Writing /usr/local/snort/rules/teste.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /usr/local/snort/etc/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats...
New:-------46
Deleted:---16
Enabled Rules:----21167
Dropped Rules:----0
Disabled Rules:---19609
Total Rules:------40776
IP Blacklist Stats...
Total IPs:-----839
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
i dont know if this is right but dont fix dependencies flowbits
someone can help me?
thanks
hernani coelho
Joel Esler (jesler)
Jun 15, 2014, 11:27:43 AM6/15/14
to
I see these lines in the run.
--
Joel Esler
Sent from my iPhone
> On Jun 15, 2014, at 11:15, "hernani" <coelho....@sapo.pt> wrote:
>
> Setting Flowbit State....
> Enabled 114 flowbits
> Done
--
Joel Esler
Sent from my iPhone
> On Jun 15, 2014, at 11:15, "hernani" <coelho....@sapo.pt> wrote:
>
> Setting Flowbit State....
> Enabled 114 flowbits
> Done
waldo kitty
Jun 16, 2014, 1:37:34 PM6/16/14
to
On 6/14/2014 5:01 AM, hernani wrote:
>
> Em 13-06-2014 19:59, waldo kitty escreveu:
>
> Em 13-06-2014 19:59, waldo kitty escreveu:
>> On 6/13/2014 6:23 AM, hernani wrote:
>>> hello,
>>>
>>> how can i remove this warning --->
>>> hello,
>>>
>>> how can i remove this warning --->
>> all of those are "flowbit XXXX set but not ever checked." so either enable the
>> rules that check those flowbits *OR* disable the rules listed that set those
>> flowbits...
>>
> hello,
>
> where can i find this rules ?
> i use snort base mysql barnyard2 on snort-2.9.6.1
grep (or any other text search tool) is your friend... you tell it to search
>> rules that check those flowbits *OR* disable the rules listed that set those
>> flowbits...
>>
> hello,
>
> where can i find this rules ?
> i use snort base mysql barnyard2 on snort-2.9.6.1
your *.rules files for the flowbit set pattern...
eg: grep -i -E "flowbits:set,flowbit.here;" /path/to/snort/rules/*.rules
where "flowbit.here" would be the flowbits from your warning list...
eg: grep -i -E "flowbits:set,file\.abc;" /path/to/snort/rules/*.rules
grep -i -E "flowbits:set,imap\.cram\.md5;" /path/to/snort/rules/*.rules
grep -i -E "flowbits:set,file\.fon;" /path/to/snort/rules/*.rules
the results of the search will tell you which file the pattern is found in and
what the SID of the rule is because it prints out the whole line containing the
pattern...
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
Joel Esler (jesler)
Jun 16, 2014, 1:46:49 PM6/16/14
to
On Jun 16, 2014, at 1:37 PM, waldo kitty <wkit...@windstream.net> wrote:
On 6/14/2014 5:01 AM, hernani wrote:
Em 13-06-2014 19:59, waldo kitty escreveu:
On 6/13/2014 6:23 AM, hernani wrote:hello,
hello,all of those are "flowbit XXXX set but not ever checked." so either enable the
how can i remove this warning --->
rules that check those flowbits *OR* disable the rules listed that set those
flowbits...
where can i find this rules ?
i use snort base mysql barnyard2 on snort-2.9.6.1
grep (or any other text search tool) is your friend... you tell it to search
your *.rules files for the flowbit set pattern...
eg: grep -i -E "flowbits:set,flowbit.here;" /path/to/snort/rules/*.rules
where "flowbit.here" would be the flowbits from your warning list...
eg: grep -i -E "flowbits:set,file\.abc;" /path/to/snort/rules/*.rules
grep -i -E "flowbits:set,imap\.cram\.md5;" /path/to/snort/rules/*.rules
grep -i -E "flowbits:set,file\.fon;" /path/to/snort/rules/*.rules
the results of the search will tell you which file the pattern is found in and
what the SID of the rule is because it prints out the whole line containing the
pattern...
Some of these were fixed on Friday, so you should see these errors go away. There are a couple, however, that can only be fixed by using PulledPork.
Going forward, we are only supporting pulledpork, when it comes to downloading rules, etc from
Snort.org, so if you aren’t tranisitioned to pulledpork yet, you may want to think about doing this.
More details will be coming in a blog post for official announcements, but just my 0.02 here.
0 new messages