[Oisf-users] flowbits checked but not set

Jeff Dyke jeff.dyke at gmail.com
Wed Feb 27 20:42:46 UTC 2019 

after implementing the suricata-update flow that i require, i was testing
it out in my staging environment, which is also public, so i run suricata
seriously in staging.  I see the, after reloading rules, warnings about
flowbits being checked by not set (examples below).  I have read some
documentation about this and most/all of these do indeed have a rule with
isset:foo.flowbit, but there is not a role for set:foo.flowbit.

Is this something folks are fixing themselves, an oddity i introduced, or
incomplete rules from, mostly, emerging-threat rule files.  I understand
these are just a warnings but the isset rule can not be reached b/c there
is not set rule, from my readings.

I saw the same warnings in my dev environment as well.

Thanks
Jeff

 27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396
and 3 other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 5
other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1
other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other
sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756
and 15 other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and
1 other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0
other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in
2022050 and 1 other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in
2022053 and 0 other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set.
Checked in 2022653 and 0 other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671
and 11 other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other
sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0
other sigs
    27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other
sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190227/1c12df72/attachment.html>

More information about the Oisf-users mailing list