Support #2702
closed
Please help advice warning log about "detect-flowbits.c:480".
Added by prasert sook over 5 years ago.
Updated over 5 years ago.
Description
Please help advice below warning, Thanks a lot.
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BSis.vnc.setup' is checked but not set. Checked in 2002914 and 3 other sigs
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BSvnc.null.auth.sent' is checked but not set. Checked in 2002917 and 0 other sigs
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BSvnc.auth.agreed' is checked but not set. Checked in 2002921 and 0 other sigs
[6120] 21/11/2018 -- 17:34:14 - (detect-flowbits.c:480) <Warning> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Netwire.HB.1' is checked but not set. Checked in 2018282 and 0 other sigs
Files
Well what sort of help do you need? You need to look into the rules, they check for flowbits that are not set in any other rule so doesn't make much sense.
Andreas Herz wrote:
Well what sort of help do you need? You need to look into the rules, they check for flowbits that are not set in any other rule so doesn't make much sense.
First of all sorry that the version was wrong, the one that i'm using is 4.1.0.
Before this i used 4.0.5, this warning not appear but after upgrade to 4.1.0 the warning messages appear as above. After i did put a comment for SID number for example as below. Then warning messages disappear.
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:20; content:"|00 00 00 02|"; depth:4; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002914; classtype:misc-activity; sid:2002914; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30
Is it ok to do this? Any impact will occur, this kind of virus will be not detected? Thanks a lot for your advice.
We recommend using suricata-update for downloading and updating the rules. It will automatically resolve flowbits issues.
The warning tells you a rule can never match. So you can disable it at no loss, but it's probably better to enable the rule(s) that set the flowbit. Again, suricata-update automates this for you.
- Effort deleted (
low)
- Affected Versions 4.1 added
- Affected Versions deleted (
4.0.1)
- Difficulty deleted (
medium)
Victor Julien wrote:
We recommend using suricata-update for downloading and updating the rules. It will automatically resolve flowbits issues.
The warning tells you a rule can never match. So you can disable it at no loss, but it's probably better to enable the rule(s) that set the flowbit. Again, suricata-update automates this for you.
Thanks a lot Victor, The issue is fixed refer to your solution.
- Status changed from New to Closed
Also available in: Atom
PDF