Suricata warning: flowbit 'ET.Parallax-12' is checked but not set.

[adk20]

Dear community,

Since I upgraded to 21.7.5_2, I am getting this warning in the Suricata log file: "flowbit 'ET.Parallax-12' is checked but not set."

Any ideas as to what may be the cause of this are much appreciated.

Cheers,
adk20

[Fright]

hi
its snort but the meaning is the same
https://blog.snort.org/2011/05/resolving-flowbit-dependancies.html

("The above "Warnings" aren't fatal.   Meaning Snort will still start, even if you have these errors.  However, if you don't have one or the other "set" or "isset" rules turned on and you are receiving these errors, this indicates that effectively you aren't using that set of rules, or multiple rules.

The advantage of flowbits is that rule writers can write several different rules that check for vulnerabilities inside the rtf document file format, all checking to see if the "http.rtf" flowbit has been set first.  This will cause entire rule chains to not fire if an "rtf" file isn't downloaded first (for example).
...
...
Go through the rules files individually to turn on the rules that will fix the flowbits.")

[adk20]

Thanks, Fright, for your hint.

Unfortunately, though, I am still at a loss identifying the problem. I havn't touched my Suricata rules lately and the issue only arose after the last update to 21.5.7. This leads me to believe that there must be some link between the update and the new warning message.

Furthermore, the offending rule 2032527 doesn't give a clue as to which flowbit rule is missing.

Any help is much valued!

Cheers,
adk20

[adk20]

Just noticed that the rule creating the warning has been updated on 11 November, the day I started seeing the warnings.

Will being patient and waiting for another update of the rule eventually fix the issue?

[Fright]

this is definitely the upstream issue

just a guess but it looks like a typo in ruleset:
2021_11_11 they updated the rules (see https://www.proofpoint.com/us/daily-ruleset-update-summary-20211111 at the bottom).
but 2032526 sets "ET.Parallax-14" flowbit whereas 2032527 rule checks "ET.Parallax-12"

[adk20]

Again, many thanks, Fright, for your help!

However, I am even more puzzled now. Checking your Proofpoint link, I now see under "modified active rules" that both 2032526 and 2032527 refer to M14. Have they been fixed meanwhile?

Let's see whether tonight's update will fix the issue for me.

Cheers,
adk20

[Fright]

I now see under "modified active rules" that both 2032526 and 2032527 refer to M14

yep. but in fact 2032526 sets "ET.Parallax-14" flowbit and 2032527 checks "ET.Parallax-12". therefore i think that this is a typo in 2032527  rule (should check "ET.Parallax-14" flowbit imho)

Code: [Select]

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Parallax CnC Activity (set) M14"; flow:established,to_server; content:"|cb 79 32 bd|"; depth:4; fast_pattern; content:"|30 8e c5|"; distance:1; within:3; flowbits:set,ET.Parallax-14; flowbits:noalert; reference:md5,4ffdb788b7971827509fe2e3ccadbae2; classtype:trojan-activity; sid:2032526; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Parallax, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Parallax CnC Response Activity M14"; flow:established,to_client; content:"|cb 79 32 bd|"; depth:4; fast_pattern; content:"|30 8e c5|"; distance:1; within:3; flowbits:isset,ET.Parallax-12; reference:md5,4ffdb788b7971827509fe2e3ccadbae2; classtype:trojan-activity; sid:2032527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Parallax, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)


[adk20]

FYI, I've submitted some feedback to Proofpoint regarding this issue.

[Fright]

https://www.proofpoint.com/us/daily-ruleset-update-summary-20211122
solved?

[adk20]

Hello Fright, yes, this update fixed the issue for me.

I am wondering, though, whether I was the only one who had this issue or whether others were also affected?

[Fright]

yes, this update fixed the issue for me

nice to know )

I am wondering, though, whether I was the only one who had this issue or whether others were also affected?

imho this is a fairly common problem. just not so many people bother about it

[adk20]

Sorry, it's me again. Now that the one kind of flowbit messages has disappeared, I am getting these messages since my upgrade to 21.7.6

Code: [Select]

2021-11-26T03:33:09 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
2021-11-26T03:33:09 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.telnet.busybox' is checked but not set. Checked in 2023019 and 2 other sigs
2021-11-26T03:32:48 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-user_agents.rules:250 uses unknown classtype: "pup-activity", using default priority 3. This message won't be shown again for this classtype
2021-11-26T03:32:45 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-malware.rules:15758 uses unknown classtype: "credential-theft", using default priority 3. This message won't be shown again for this classtype
2021-11-26T03:32:42 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-malware.rules:9890 uses unknown classtype: "social-engineering", using default priority 3. This message won't be shown again for this classtype
2021-11-26T03:32:42 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-malware.rules:8962 uses unknown classtype: "external-ip-check", using default priority 3. This message won't be shown again for this classtype
2021-11-26T03:32:40 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-info.rules:1348 uses unknown classtype: "domain-c2", using default priority 3. This message won't be shown again for this classtype
2021-11-26T03:32:40 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-info.rules:694 uses unknown classtype: "coin-mining", using default priority 3. This message won't be shown again for this classtype
2021-11-26T03:32:39 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-exploit.rules:800 uses unknown classtype: "exploit-kit", using default priority 3. This message won't be shown again for this classtype
2021-11-26T03:32:39 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-dns.rules:112 uses unknown classtype: "targeted-activity", using default priority 3. This message won't be shown again for this classtype
2021-11-26T03:32:38 suricata[49985] [106483] <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/local/etc/suricata/opnsense.rules/emerging-activex.rules:788 uses unknown classtype: "command-and-control", using default priority 3. This message won't be shown again for this classtype
Any ideas as to what those classtype warnings mean?

Cheers,
adk

[Fright]

hi
i think it means that rules uses classifications (classification define the order in which the rules are processed) not included in opnsense classification.config.
imho you can try to add classifications strings (may be "# Update" section would be enough?) from https://rules.emergingthreats.net/open/suricata-5.0/rules/classification.config to /usr/local/opnsense/service/templates/OPNsense/IDS/classification.config
and (if it works well) ask devs to add this definitions to standard classification.config template?

[adk20]

Just out of curiosity - is anyone else seeing these error messages?

Regarding the two flowbit warnings, I am unsure how to fix them. I cannot seem to find any rules with the stated names.

Regarding the other warnings, I would assume that this is not something the normal user needs to configure but that it kind of "works out of the box."

I haven't touched my suricata rules for months and all over sudden they start throwing warnings. I am even more puzzled since I have only enabled the standard rule sets and not done any manual tuning of the rules. This should IMHO not require modification of config files on the CLI.

Any guidance is much appreciated. Thanks!

[Fright]

Regarding the other warnings, I would assume that this is not something the normal user needs to configure but that it kind of "works out of the box."

fixed by @AdSchellevis
https://github.com/opnsense/core/commit/9f3b6e873ac14790246f9b83bc54d8852eaeccbe
(i think it will be in next release)

Regarding the two flowbit warnings, I am unsure how to fix them. I cannot seem to find any rules with the stated names.

its not names ). its flowbits defined in rules itslef.
so it is necessary to find a ruleset with the rules using this flowbit and make sure that the rule setting this flowbit is enabled or that such a rule simply does not exist in the ruleset