Hi All, I need help,
OS :Yocto (Dunfell +QT5)
When I run the command “suricata -T -c /etc/suricata/suricata.yaml -v” getting these errors related to flowbit.
These are rules I added download from : Rule Management with Oinkmaster - Suricata - Open Information Security Foundation
And I am not able to find which rules are using flowbit.
First welcome to the Suricata community!
It looks like you are using the Emerging Threats OPEN ruleset.
The flow bit messages you are seeing are Warnings and not fatal to Suricata either running or processing/alerting using the rules that you have loaded.
As an example, the log entry “flowbit ‘ET.tcpraw.png’ is checked but not set. Checked in 2035477 and 6 other sigs” is indicating that rule sid 2035477 and 6 other sids are checking to see if the flowbit is set.
The rule text is:
alert tcp $EXTERNAL_NET any → $HOME_NET any (msg:“ET MALWARE rat-test CnC Response”; flow:established,to_client; dsize:8; content:“d|00|o|00|n|00|e|00|”; nocase; flowbits:isset,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; reference:url,twitter.com/James_inthe_box/status/1501604645759709186; classtype:trojan-activity; sid:2035477; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
There are a number of reasons a flowbit may be checked and is not set. If you want to see each rule that is looking for the set flowbit. you would have to search through all the individual .rules files (your second picture) and look for, using the example above, “isset,ET.tcpraw.png”.
Thank you very much for the prompt reply. I will look into .rules files for for flowbit.
If possible please let me know, Where can i find suricata approved rule files?
Generally speaking there aren’t “approved” rules files. Each implementation/deployment of suricata is going to need to use rules appropriate to that environment. For example you might not need rules that fire on gaming traffic. A list of some of the sources of rules that work from a syntax perspective with Suricata, can be found here https://www.openinfosecfoundation.org/rules/index.yaml