Flowbit Dependencies

[Sam Hodgson <sam.hodgson () perfect-image co uk>]

Hi All,


Snortnoob here, have it up and running on Centos 7 however seeing lots of this on startup:


WARNING: flowbits key 'file.search-ms' is set but not ever checked.
WARNING: flowbits key 'file.flac' is set but not ever checked.
328 out of 1024 flowbits in use.


Im running pulledpork which updates without error, i understand it would potentially automatically resolve the above 
however not the case for some reason.


The large majority of the unchecked flowbits are file.xxx and as a test case I can see that file.flac is referenced 
multiple times in /etc/snort/rules/file-multimedia.rules


# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC picture metadata buffer 
overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|06|"; 
content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy max-detect-ips drop, service ftp-data, service http, 
service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12745; 
rev:13;)

Upon updating i see:


Rule Stats...
        New:-------10561
        Deleted:---0
        Enabled Rules:----11067
        Dropped Rules:----0
        Disabled Rules:---32670
        Total Rules:------43737



I've read that not all are enabled by default out of the box for performance reasons is that correct? and is that the 
reason behind the flowbit warnings?


Any input is greatly appreciated!


Thanks


Sam



________________________________

Save paper, please think twice before printing this email.

Equinox House | Cobalt 3.2 | Cobalt Business Park | Silver Fox Way | North Tyneside | Newcastle upon Tyne | NE27 0QJ
T. 0191 238 0111 | F. 0191 238 0127 | Service Desk Direct Line. 0191 238 0121
Perfect Image Ltd. Registered in England & Wales. Company Registration Number: 2650067
Registered Office: Equinox House, Cobalt 3.2, Cobalt Business Park, Silver Fox Way, North Tyneside, Newcastle upon 
Tyne, NE27 0QJ

This e-mail is confidential and intended solely for the use of the individual to whom it is addressed. Any views or 
opinions presented are solely those of the author and do not represent those of Perfect Image Ltd. If you are not the 
intended recipient, please notify us at info () perfect-image co uk and be advised that you have received this mail in 
error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!