[Oisf-users] flowbits checked but not set

Travis Green travis at travisgreen.net
Tue Mar 5 19:26:59 UTC 2019


Jeff, typically your rule manager (suricata-update) will handle flowbit
dependancies. Otherwise, you'd want to disable those rules locally. Your
issue is from having disabled INFO ruleset, so enabling those rules will
also resolve this issue.

-T

On Wed, Feb 27, 2019 at 1:43 PM Jeff Dyke <jeff.dyke at gmail.com> wrote:

> after implementing the suricata-update flow that i require, i was testing
> it out in my staging environment, which is also public, so i run suricata
> seriously in staging.  I see the, after reloading rules, warnings about
> flowbits being checked by not set (examples below).  I have read some
> documentation about this and most/all of these do indeed have a rule with
> isset:foo.flowbit, but there is not a role for set:foo.flowbit.
>
> Is this something folks are fixing themselves, an oddity i introduced, or
> incomplete rules from, mostly, emerging-threat rule files.  I understand
> these are just a warnings but the isset rule can not be reached b/c there
> is not set rule, from my readings.
>
> I saw the same warnings in my dev environment as well.
>
> Thanks
> Jeff
>
>  27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396
> and 3 other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 5
> other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1
> other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3
> other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756
> and 15 other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and
> 1 other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0
> other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in
> 2022050 and 1 other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in
> 2022053 and 0 other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set.
> Checked in 2022653 and 0 other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671
> and 11 other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other
> sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0
> other sigs
>     27/2/2019 -- 20:31:58 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] -
> flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other
> sigs
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190305/c2c23f2c/attachment.html>


More information about the Oisf-users mailing list