Project

General

Profile

Actions
Copy link

Bug #173

closed
RR AS

new request for detecting duplicate sig on suricata

Bug #173: new request for detecting duplicate sig on suricata

Added by rmkml rmkml almost 16 years ago. Updated almost 16 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.0.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
If possible, could you add detecting for duplicate sig please?
for example, if I add two file contains same sig, like:
...
- snmp.rules
...
- snmp.rules
...
actually, all sigs in theses files (snmp.rules) generating two alerts...
(Im discover this by error in my test conf)
Maybe it's a good idea for detecting this.
Tested on suricata today git (79443b1991840930ded4b8f09ba6de7b000912d9).
Regards
Rmkml

Files

Download all files
0001-in-case-of-duplicate-signatures-use-the-one-with-the.patch (15.4 KB) 0001-in-case-of-duplicate-signatures-use-the-one-with-the.patch Anoop Saldanha, 06/22/2010 02:39 AM
0001-in-case-of-duplicate-signatures-used-the-one-with-th.patch (18.7 KB) 0001-in-case-of-duplicate-signatures-used-the-one-with-th.patch Anoop Saldanha, 06/25/2010 06:33 AM

VJ Updated by Victor Julien almost 16 years ago Actions
Copy link
 #1

  • Due date set to 06/21/2010
  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Target version set to 0.9.3
  • Estimated time set to 4.00 h

Anoop, can you filter out the dub sigs in the signature ordering process? The sig with the highest rev should be used.

AS Updated by Anoop Saldanha almost 16 years ago Actions
Copy link
 #2

Victor Julien wrote:

Anoop, can you filter out the dub sigs in the signature ordering process? The sig with the highest rev should be used.

ya, cool!

VJ Updated by Victor Julien almost 16 years ago Actions
Copy link
 #4

  • Due date changed from 06/21/2010 to 06/27/2010
  • Target version changed from 0.9.3 to 1.0.0
  • % Done changed from 0 to 50
  • Estimated time changed from 4.00 h to 7.00 h

Thanks Anoop. I'd like to see one change. I want all the duplicate checking logic to be hidden from the normal signature initialization code, especially from DetectEngineAppendSig. In that function I'd like to see just a check like "if (SignatureIsDuplicate(s) == TRUE) { goto free_sig; }". The gory details of the SigWrapper, hash table, etc. can then be hidden all behind that call.

AS Updated by Anoop Saldanha almost 16 years ago Actions
Copy link
 #5

Attached a new patch. Separated the details from AppenedSig into a separate one.

VJ Updated by Victor Julien almost 16 years ago Actions
Copy link
 #6

  • Status changed from Assigned to Closed
  • % Done changed from 50 to 100

Patch applied, thanks Anoop.

Actions
Copy link

Also available in: PDF Atom