<div dir="ltr">Russell, might want to check up on whether etpro-info.rules is enabled in your config, that's where "2017748 - ET INFO Java Downloading Archive flowbit no alert" lives.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, May 19, 2019 at 3:34 PM Russell Fulton <<a href="mailto:r.fulton@auckland.ac.nz">r.fulton@auckland.ac.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I recently moved to suricata 4.1.4 (from 4.0.4) and I now get a heap of errors like this:<br>
<br>
2019 May 20 06:42:11 +12:00 secmonprd11: suricata: '[22157] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756 and 15 other sigs’<br>
<br>
spot checking the tarball rules it is quite correct there are no rules that set that flowbit. I am using 4.1.4 version of the ETPro rules.<br>
<br>
Any ideas what is going on? <br>
<br>
Using suricata-update 1.0.5. ( upgraded at the same time from 1.0)<br>
<br>
Russell<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div>