Proofpoint Telemetry Flowbit Issues.

Started by Cljackhammer, September 30, 2024, 12:28:12 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 30, 2024, 12:28:12 PM
When is the proofpoint team going to address this issue? It started happening 3 weeks ago and I didn't make any configuration issues. I tried deleting all of the rulesets and re-downloaded.

2024-09-30T06:01:05-04:00   Warning   suricata   [100908] <Warning> -- flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 1 other sigs   
2024-09-30T06:01:05-04:00   Warning   suricata   [100908] <Warning> -- flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 0 other sigs
October 06, 2024, 07:40:18 PM #1
you might ask that question in suricata forum and see what they say
I too see that but on other rules, not sure yet what it means, or how to correct
November 24, 2024, 10:02:19 PM #2
Hi, I'm a malware analyst & rule writer on the Emerging Threats team.  I have personally developed a fix for this issue which as far as I'm aware, should now be live.  You should no longer be having flowbit dependency issues.
Malware Analyst & Detection Engineer @ Emerging Threats/Proofpoint
November 25, 2024, 05:00:09 PM #3
There are only a few flowbit mentions in my logs, for anyone else tracking these are what I see with almost all rules (998 disabled of 215144 total) enabled:

To any wanting to share/check:
Code Select
grep -vE '(alert|anomaly)' suricata_20241125.log | cut -w -f 10- | sort | uniq | grep flowbit

My output:
Code Select

<Warning> -- flowbit 'file.doc&file.ole' is checked but not set. Checked in 17301 and 3 other sigs
<Warning> -- flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
<Warning> -- flowbit 'file.ppsx&file.zip' is checked but not set. Checked in 26068 and 1 other sigs
<Warning> -- flowbit 'file.quicktime&file.swf' is checked but not set. Checked in 24672 and 0 other sigs
<Warning> -- flowbit 'file.rjs&file.zip' is checked but not set. Checked in 17461 and 0 other sigs
<Warning> -- flowbit 'file.visio&file.ole' is checked but not set. Checked in 11836 and 1 other sigs
<Warning> -- flowbit 'file.xls&file.ole' is checked but not set. Checked in 19943 and 10 other sigs
<Warning> -- flowbit 'file.xps&file.zip' is checked but not set. Checked in 45776 and 1 other sigs
<Warning> -- flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 25035 and 7 other sigs
<Warning> -- flowbit 'glassfish_unauth_attempt' is checked but not set. Checked in 20160 and 0 other sigs

Pretty sure there used to be more, so I can mention that this feels like an improvement, thank you!
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
November 28, 2024, 06:05:11 PM #4 Last Edit: November 28, 2024, 06:06:51 PM by Cljackhammer
Quote from: ETOzurie on November 24, 2024, 10:02:19 PM
Hi, I'm a malware analyst & rule writer on the Emerging Threats team.  I have personally developed a fix for this issue which as far as I'm aware, should now be live.  You should no longer be having flowbit dependency issues.


Hi ETOzurie,

I don't believe that the fix is available yet. I'm still experiencing the issue. Do I need to make any configuration changes for the fix to be enabled?

2024-11-28T12:01:00-05:00   Warning   suricata   [100463] <Warning> -- flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 1 other sigs   
2024-11-28T12:01:00-05:00   Warning   suricata   [100463] <Warning> -- flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 0 other sigs
Print
Go Up Pages1
User actions