SID Management Question


New Suricata user on PfSense here and what an excellent piece of software, works very well.

I noticed one thing when combing through the logs and finding warnings I came across a couple of similar warnings, “invalid signature” and “flowbit is checked but not set”.

To cleanup I went through and enabled automatic SID management and disabled all of the rules that were throwing alerts but it seems that the last rule I have in my file gets disabled however it still shows the warning whenever the rules load. See below.

disabledsid file
1:26470,1:50525,1:27544,1:58835,1:60270,1:60728,1:45952,1:49670,1:58812,1:55839,1:53858,1:46825,1:57452,1:61359,1:61360 # invalid signatures
1:28582,1:28583,1:28584,1:28585,1:28586,1:30990,1:30991,1:61666,1:61667 # flowbit set but not checked

Warning message in system log
[122034] – [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘file.onenote’ is checked but not set. Checked in 61666 and 1 other sigs

What’s really odd is whenever I go to check and see if the rule is actually disabled or not, it is properly disabled.

I can’t seem to figure out what is going on here, any ideas?

EDIT: I tried adding 1:61667 to the list (above post updated) as it was the only other flowbit rule that referenced onenote but this warning message still exists. I guess this also means it isn’t exactly the last entry either. The plot thickens. :slight_smile:

I was able to get this to stop complaining about flowbits by disabling the following

1:26470,1:50525,1:27544,1:58835,1:60270,1:60728,1:45952,1:49670,1:58812,1:55839,1:53858,1:46825,1:57452,1:61359,1:61360 # invalid signatures

1:28582,1:28583,1:28584,1:28585,1:28586,1:30990,1:30991,1:61666,1:61667,1:61670,1:61671,1:61672,1:61673,1:61674,1:61675 # flowbit set but not checked

After disabling all of the above I no longer get any rule errors on reload/restart.

1 Like