Proofpoint Telemetry Flowbit Issues.

[Cljackhammer]

When is the proofpoint team going to address this issue? It started happening 3 weeks ago and I didn’t make any configuration issues. I tried deleting all of the rulesets and re-downloaded.

2024-09-30T06:01:05-04:00   Warning   suricata   [100908] <Warning> -- flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 1 other sigs   
2024-09-30T06:01:05-04:00   Warning   suricata   [100908] <Warning> -- flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 0 other sigs

[someone]

you might ask that question in suricata forum and see what they say
I too see that but on other rules, not sure yet what it means, or how to correct

[ETOzurie]

Hi, I'm a malware analyst & rule writer on the Emerging Threats team.  I have personally developed a fix for this issue which as far as I'm aware, should now be live.  You should no longer be having flowbit dependency issues.

[jonny5]

There are only a few flowbit mentions in my logs, for anyone else tracking these are what I see with almost all rules (998 disabled of 215144 total) enabled:

To any wanting to share/check:

Code: [Select]

grep -vE '(alert|anomaly)' suricata_20241125.log | cut -w -f 10- | sort | uniq | grep flowbit
My output:

Code: [Select]

<Warning> -- flowbit 'file.doc&file.ole' is checked but not set. Checked in 17301 and 3 other sigs
<Warning> -- flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
<Warning> -- flowbit 'file.ppsx&file.zip' is checked but not set. Checked in 26068 and 1 other sigs
<Warning> -- flowbit 'file.quicktime&file.swf' is checked but not set. Checked in 24672 and 0 other sigs
<Warning> -- flowbit 'file.rjs&file.zip' is checked but not set. Checked in 17461 and 0 other sigs
<Warning> -- flowbit 'file.visio&file.ole' is checked but not set. Checked in 11836 and 1 other sigs
<Warning> -- flowbit 'file.xls&file.ole' is checked but not set. Checked in 19943 and 10 other sigs
<Warning> -- flowbit 'file.xps&file.zip' is checked but not set. Checked in 45776 and 1 other sigs
<Warning> -- flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 25035 and 7 other sigs
<Warning> -- flowbit 'glassfish_unauth_attempt' is checked but not set. Checked in 20160 and 0 other sigs

Pretty sure there used to be more, so I can mention that this feels like an improvement, thank you!

[Cljackhammer]

Hi, I'm a malware analyst & rule writer on the Emerging Threats team.  I have personally developed a fix for this issue which as far as I'm aware, should now be live.  You should no longer be having flowbit dependency issues.

Hi ETOzurie,

I don’t believe that the fix is available yet. I’m still experiencing the issue. Do I need to make any configuration changes for the fix to be enabled?

2024-11-28T12:01:00-05:00   Warning   suricata   [100463] <Warning> -- flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 1 other sigs   
2024-11-28T12:01:00-05:00   Warning   suricata   [100463] <Warning> -- flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 0 other sigs