Hello,
New Suricata user on PfSense here and what an excellent piece of software, works very well.
I noticed one thing when combing through the logs and finding warnings I came across a couple of similar warnings, “invalid signature” and “flowbit is checked but not set”.
To cleanup I went through and enabled automatic SID management and disabled all of the rules that were throwing alerts but it seems that the last rule I have in my file gets disabled however it still shows the warning whenever the rules load. See below.
disabledsid file
1:26470,1:50525,1:27544,1:58835,1:60270,1:60728,1:45952,1:49670,1:58812,1:55839,1:53858,1:46825,1:57452,1:61359,1:61360 # invalid signatures
1:28582,1:28583,1:28584,1:28585,1:28586,1:30990,1:30991,1:61666,1:61667 # flowbit set but not checked
Warning message in system log
[122034] – [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘file.onenote’ is checked but not set. Checked in 61666 and 1 other sigs
What’s really odd is whenever I go to check and see if the rule is actually disabled or not, it is properly disabled.
I can’t seem to figure out what is going on here, any ideas?
EDIT: I tried adding 1:61667 to the list (above post updated) as it was the only other flowbit rule that referenced onenote but this warning message still exists. I guess this also means it isn’t exactly the last entry either. The plot thickens. 
