I installed ipfire on my pc a little while ago. I activated Intrusion Prevention. Look in the pictures there is flowbit. I don’t know what it means. Is everything working or is there an error?
It looks like it loaded rules, but needs a server restart to activate the rule because it translates to me that the rule is selected but not active yet.
No that is incorrect. A server restart won’t change anything.
The signature writer for those rules is checking for the flowbit but hasn’t set it.
This happens sometimes when the signature writer has defined a set of similar rules and then they set the flowbit on only one of the rules but check it on all of them. As long as all the rules in that set are enabled then it will work.
However, sometimes I have found that the providers default rules within a ruleset, do not have the rule with the flowbit enabled but do have some of the ones where the flowbit is checked but not set.
I discovered this by identifying all the rules flagged with flowbit checked but not set and making sure that all of the same type were enabled and then those messages stopped.
Hallo @justiceg
Welcome to the IPFire community.
If you see that message about flowbit is checked but not set, then that rule that triggered the message will not be evaluated.
Suricata will still continue scanning with all the other rules that have been enabled.
4 Likes
Thank you very much, I have little experience, what should I do? Should I disable some rules or enable some rules, or does everything work fine? I have enabled all the Emergingthreats.net Community Rules by default without any fine tuning. (google translate)