Archive > 21.7 Legacy Series

Suricata warning: flowbit 'ET.Parallax-12' is checked but not set.

(1/4) > >>

adk20:
Dear community,

Since I upgraded to 21.7.5_2, I am getting this warning in the Suricata log file: "flowbit 'ET.Parallax-12' is checked but not set."

Any ideas as to what may be the cause of this are much appreciated.

Cheers,
adk20

Fright:
hi
its snort but the meaning is the same
https://blog.snort.org/2011/05/resolving-flowbit-dependancies.html

("The above "Warnings" aren't fatal.   Meaning Snort will still start, even if you have these errors.  However, if you don't have one or the other "set" or "isset" rules turned on and you are receiving these errors, this indicates that effectively you aren't using that set of rules, or multiple rules.

The advantage of flowbits is that rule writers can write several different rules that check for vulnerabilities inside the rtf document file format, all checking to see if the "http.rtf" flowbit has been set first.  This will cause entire rule chains to not fire if an "rtf" file isn't downloaded first (for example).
...
...
Go through the rules files individually to turn on the rules that will fix the flowbits.")

adk20:
Thanks, Fright, for your hint.

Unfortunately, though, I am still at a loss identifying the problem. I havn't touched my Suricata rules lately and the issue only arose after the last update to 21.5.7. This leads me to believe that there must be some link between the update and the new warning message.

Furthermore, the offending rule 2032527 doesn't give a clue as to which flowbit rule is missing.

Any help is much valued!

Cheers,
adk20

adk20:
Just noticed that the rule creating the warning has been updated on 11 November, the day I started seeing the warnings.

Will being patient and waiting for another update of the rule eventually fix the issue?

Fright:
this is definitely the upstream issue

just a guess but it looks like a typo in ruleset:
2021_11_11 they updated the rules (see https://www.proofpoint.com/us/daily-ruleset-update-summary-20211111 at the bottom).
but 2032526 sets "ET.Parallax-14" flowbit whereas 2032527 rule checks "ET.Parallax-12"

Navigation

[0] Message Index

[#] Next page

Go to full version