When is the proofpoint team going to address this issue? It started happening 3 weeks ago and I didn't make any configuration issues. I tried deleting all of the rulesets and re-downloaded.
2024-09-30T06:01:05-04:00 Warning suricata [100908] <Warning> -- flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 1 other sigs
2024-09-30T06:01:05-04:00 Warning suricata [100908] <Warning> -- flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 0 other sigs
you might ask that question in suricata forum and see what they say
I too see that but on other rules, not sure yet what it means, or how to correct
Hi, I'm a malware analyst & rule writer on the Emerging Threats team. I have personally developed a fix for this issue which as far as I'm aware, should now be live. You should no longer be having flowbit dependency issues.
There are only a few flowbit mentions in my logs, for anyone else tracking these are what I see with almost all rules (998 disabled of 215144 total) enabled:
To any wanting to share/check:
grep -vE '(alert|anomaly)' suricata_20241125.log | cut -w -f 10- | sort | uniq | grep flowbit
My output:
<Warning> -- flowbit 'file.doc&file.ole' is checked but not set. Checked in 17301 and 3 other sigs
<Warning> -- flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
<Warning> -- flowbit 'file.ppsx&file.zip' is checked but not set. Checked in 26068 and 1 other sigs
<Warning> -- flowbit 'file.quicktime&file.swf' is checked but not set. Checked in 24672 and 0 other sigs
<Warning> -- flowbit 'file.rjs&file.zip' is checked but not set. Checked in 17461 and 0 other sigs
<Warning> -- flowbit 'file.visio&file.ole' is checked but not set. Checked in 11836 and 1 other sigs
<Warning> -- flowbit 'file.xls&file.ole' is checked but not set. Checked in 19943 and 10 other sigs
<Warning> -- flowbit 'file.xps&file.zip' is checked but not set. Checked in 45776 and 1 other sigs
<Warning> -- flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 25035 and 7 other sigs
<Warning> -- flowbit 'glassfish_unauth_attempt' is checked but not set. Checked in 20160 and 0 other sigs
Pretty sure there used to be more, so I can mention that this feels like an improvement, thank you!
Quote from: ETOzurie on November 24, 2024, 10:02:19 PM
Hi, I'm a malware analyst & rule writer on the Emerging Threats team. I have personally developed a fix for this issue which as far as I'm aware, should now be live. You should no longer be having flowbit dependency issues.
Hi ETOzurie,
I don't believe that the fix is available yet. I'm still experiencing the issue. Do I need to make any configuration changes for the fix to be enabled?
2024-11-28T12:01:00-05:00 Warning suricata [100463] <Warning> -- flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 1 other sigs
2024-11-28T12:01:00-05:00 Warning suricata [100463] <Warning> -- flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 0 other sigs