Wednesday, December 7, 2011

If you are having problems with your flowbits

Some people have been experiencing a problem with their Snort downloads during the recent file-identify.rules transition.

During this transition we added a feature to the flowbit "set" rules called a "flowbit group". The intention of the flowbit group is, if a flowbit is set on a certain stream, and another flowbit comes along on the same stream and sets a flowbit it will unset the first flowbit.

This is EXTREMELY helpful for things like http pipelined streams where multiple downloads are done over a single stream and would result in the occasional false positive.

While we received zero false negative or false positive reports as a result of the flowbit group being in the file-identify ruleset, we decided to go back to the original method of flowbit "set" and "unset".  Unfortunately, this affected people that wrote custom rules that either checked or set a flowbit with the same flowbit name as ours, it also identified a minor restart bug that affected users of OpenSource Snort (not Sourcefire product) in Snort version 2.9.1.2 (It's fixed in 2.9.2).  This bug was basically a -HUP would not reload the presence of a flowbit group (or lack thereof).

So, in order for people to go into their rulesets and remove the fileidentify flowbit group name, you can either manually edit the rule files and remove ",fileidentify" from the rules, or you can use this quick bash script that I wrote and have not tested.


The error that some may see is:

sp_flowbits.c(510) Flowbits already belongs to a group

This error either means you are setting a flowbit with your custom rule that is the same name as a flowbit that we have in the system without the flowbit group added to it (and ours does), or, it means that you have a custom rule that is the same name as a flowbit that we have in the system and ours does not.


So this script should fix the problem either way by totally removing the fileidentify flowbit group.

First, decend into your rules/ directory where you keep your rules, and create and run this shell script:

#!/bin/sh
for x in `ls *.rules`
do
    sed -i -e 's/\,fileidentify//' $x
done


This will remove the fileidentify flowbit group from all the rules, and Snort will function as it was before.