Support #2702
closedPlease help advice warning log about "detect-flowbits.c:480".
Description
Please help advice below warning, Thanks a lot.
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BSis.vnc.setup' is checked but not set. Checked in 2002914 and 3 other sigs
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BSvnc.null.auth.sent' is checked but not set. Checked in 2002917 and 0 other sigs
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BSvnc.auth.agreed' is checked but not set. Checked in 2002921 and 0 other sigs
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Netwire.HB.1' is checked but not set. Checked in 2018282 and 0 other sigs
Files
Updated by Andreas Herz over 5 years ago
Well what sort of help do you need? You need to look into the rules, they check for flowbits that are not set in any other rule so doesn't make much sense.
Updated by prasert sook over 5 years ago
Andreas Herz wrote:
Well what sort of help do you need? You need to look into the rules, they check for flowbits that are not set in any other rule so doesn't make much sense.
First of all sorry that the version was wrong, the one that i'm using is 4.1.0.
Before this i used 4.0.5, this warning not appear but after upgrade to 4.1.0 the warning messages appear as above. After i did put a comment for SID number for example as below. Then warning messages disappear.
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:20; content:"|00 00 00 02|"; depth:4; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002914; classtype:misc-activity; sid:2002914; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30
Is it ok to do this? Any impact will occur, this kind of virus will be not detected? Thanks a lot for your advice.
Updated by Victor Julien over 5 years ago
We recommend using suricata-update for downloading and updating the rules. It will automatically resolve flowbits issues.
The warning tells you a rule can never match. So you can disable it at no loss, but it's probably better to enable the rule(s) that set the flowbit. Again, suricata-update automates this for you.
Updated by Victor Julien over 5 years ago
- Effort deleted (
low) - Affected Versions 4.1 added
- Affected Versions deleted (
4.0.1)
Updated by prasert sook over 5 years ago
Victor Julien wrote:
We recommend using suricata-update for downloading and updating the rules. It will automatically resolve flowbits issues.
The warning tells you a rule can never match. So you can disable it at no loss, but it's probably better to enable the rule(s) that set the flowbit. Again, suricata-update automates this for you.
Thanks a lot Victor, The issue is fixed refer to your solution.