[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Flowbit Dependencies
From: Photius Orfanidis <photiorfanidis () telstra ! com>
Date: 2017-09-20 14:36:59
Message-ID: 38A964D3-7060-46D6-9455-1B71F1EB9730 () telstra ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Dave!
If you want a really easy setup and network configuration try using Snort with \
pfSense. It works like a charm without any errors even with advanced configuration(s) \
in my experience.
Cheers :)
Photius
> On 20 Sep 2017, at 10:58 pm, Sam Hodgson <sam.hodgson@perfect-image.co.uk> wrote:
>
> Hi All,
>
>
> Snortnoob here, have it up and running on Centos 7 however seeing lots of this on \
> startup:
>
> WARNING: flowbits key 'file.search-ms' is set but not ever checked.
> WARNING: flowbits key 'file.flac' is set but not ever checked.
> 328 out of 1024 flowbits in use.
>
> Im running pulledpork which updates without error, i understand it would \
> potentially automatically resolve the above however not the case for some reason.
>
> The large majority of the unchecked flowbits are file.xxx and as a test case I can \
> see that file.flac is referenced multiple times in \
> /etc/snort/rules/file-multimedia.rules
>
>
>
> # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA \
> FLAC libFLAC picture metadata buffer overflow attempt"; flow:to_client,established; \
> flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|06|"; content:"|FF \
> FF FF FF|"; within:4; distance:7; metadata:policy max-detect-ips drop, service \
> ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; \
> reference:cve,2007-4619; classtype:attempted-user; sid:12745; rev:13;)
> Upon updating i see:
>
>
>
> Rule Stats...
> New:-------10561
> Deleted:---0
> Enabled Rules:----11067
> Dropped Rules:----0
> Disabled Rules:---32670
> Total Rules:------43737
>
>
> I've read that not all are enabled by default out of the box for performance \
> reasons is that correct? and is that the reason behind the flowbit warnings?
>
>
> Any input is greatly appreciated!
>
>
>
> Thanks
>
>
>
> Sam
>
>
>
>
>
> Save paper, please think twice before printing this email.
>
> Equinox House | Cobalt 3.2 | Cobalt Business Park | Silver Fox Way | North Tyneside \
> | Newcastle upon Tyne | NE27 0QJ T. 0191 238 0111 | F. 0191 238 0127 | Service \
> Desk Direct Line. 0191 238 0121 Perfect Image Ltd. Registered in England & Wales. \
> Company Registration Number: 2650067 Registered Office: Equinox House, Cobalt 3.2, \
> Cobalt Business Park, Silver Fox Way, North Tyneside, Newcastle upon Tyne, NE27 0QJ \
>
> This e-mail is confidential and intended solely for the use of the individual to \
> whom it is addressed. Any views or opinions presented are solely those of the \
> author and do not represent those of Perfect Image Ltd. If you are not the intended \
> recipient, please notify us at info@perfect-image.co.uk and be advised that you \
> have received this mail in error and that any use, dissemination, forwarding, \
> printing or copying of this e-mail is strictly prohibited. \
> _______________________________________________ Snort-users mailing list
> Snort-users@lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto">Hi Dave!<div><br></div><div>If you want a \
really easy setup and network configuration try using Snort with pfSense. It works \
like a charm without any errors even with advanced configuration(s) in my \
experience.</div><div><br></div><div>Cheers :)<br><br><div><span \
style="background-color: rgba(255, 255, 255, 0); font-size: \
13pt;">Photius</span></div><div><br>On 20 Sep 2017, at 10:58 pm, Sam Hodgson <<a \
href="mailto:sam.hodgson@perfect-image.co.uk">sam.hodgson@perfect-image.co.uk</a>> \
wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<div id="divtagdefaultwrapper" \
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" \
dir="ltr"> <p>Hi All,</p>
<p><br>
</p>
<p>Snortnoob here, have it up and running on Centos 7 however seeing lots of this on \
startup:</p> <p><br>
</p>
<p></p>
<div>WARNING: flowbits key 'file.search-ms' is set but not ever checked.</div>
<div>WARNING: flowbits key '<span>file.flac</span>' is set but not ever \
checked.</div> <div>328 out of 1024 flowbits in use.</div>
<br>
<p></p>
<p>Im running pulledpork which updates without error, i understand it would \
potentially automatically resolve the above however not the case for some \
reason.</p> <p><br>
</p>
<p>The large majority of the unchecked flowbits are file.xxx and as a test case I can \
see that <span>file.flac is referenced multiple times in \
/etc/snort/rules/<span>file-multimedia.rules</span></span></p> <p><span><br>
</span></p>
<p><span></span></p>
<div># alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any \
(msg:"FILE-MULTIMEDIA FLAC libFLAC picture metadata buffer overflow attempt"; \
flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; \
content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy \
max-detect-ips drop, service ftp-data, service http, service imap, service pop3; \
reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; \
sid:12745; rev:13;)</div> <div><br>
</div>
Upon updating i see:
<p></p>
<p><span><br>
</span></p>
<p><span></span></p>
<div>Rule Stats...</div>
<div> New:-------10561</div>
<div> Deleted:---0</div>
<div> Enabled Rules:----11067</div>
<div> Dropped Rules:----0</div>
<div> Disabled Rules:---32670</div>
<div> Total Rules:------43737</div>
<div><br>
</div>
<br>
<p></p>
<p><span>I've read that not all are enabled by default out of the box for performance \
reasons is that correct? and is that the reason behind the flowbit \
warnings?</span></p> <p><span><br>
</span></p>
<p><span>Any input is greatly appreciated!</span></p>
<p><span><br>
</span></p>
<p><span>Thanks</span></p>
<p><span><br>
</span></p>
<p><span>Sam</span></p>
<p><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif,EmojiFont,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols,EmojiFont,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols,EmojiFont,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols,EmojiFont,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols,EmojiFont,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols,EmojiFont,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols,EmojiFont,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols,EmojiFont,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols,EmojiFont,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols"> <p></p>
<div style="color:rgb(33,33,33); font-family:wf_segoe-ui_normal,"Segoe \
UI","Segoe WP",Tahoma,Arial,sans-serif,serif,EmojiFont; \
font-size:15px; margin:0px"> <br>
</div>
<p></p>
</div>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
Save paper, please think twice before printing this email.<br>
<br>
Equinox House | Cobalt 3.2 | Cobalt Business Park | Silver Fox Way | North Tyneside | \
Newcastle upon Tyne | NE27 0QJ <br>
T. 0191 238 0111 | F. 0191 238 0127 | Service Desk Direct Line. 0191 238 0121<br>
Perfect Image Ltd. Registered in England & Wales. Company Registration Number: \
2650067<br> Registered Office: Equinox House, Cobalt 3.2, Cobalt Business Park, \
Silver Fox Way, North Tyneside, Newcastle upon Tyne, NE27 0QJ <br>
<br>
This e-mail is confidential and intended solely for the use of the individual to whom \
it is addressed. Any views or opinions presented are solely those of the author and \
do not represent those of Perfect Image Ltd. If you are not the intended recipient, \
please notify us at <a \
href="mailto:info@perfect-image.co.uk">info@perfect-image.co.uk</a> and be advised \
that you have received this mail in error and that any use, dissemination, \
forwarding, printing or copying of this e-mail is strictly prohibited.<br> </font>
</div></blockquote><blockquote \
type="cite"><div><span>_______________________________________________</span><br><span>Snort-users \
mailing list</span><br><span><a \
href="mailto:Snort-users@lists.snort.org">Snort-users@lists.snort.org</a></span><br><span>Go \
to this URL to change user options or unsubscribe:</span><br><span><a \
href="https://lists.snort.org/mailman/listinfo/snort-users">https://lists.snort.org/mailman/listinfo/snort-users</a></span><br><span></span><br><span>Please \
visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on \
all the latest Snort news!</span><br></div></blockquote></div></body></html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic