Bug #2372
closedNon-deterministic behavior when encountering duplicated SIDs
Description
Long story short, because suricata-update reads commented-out rules in addition to normal rules, things get really weird if you have one .rules file with a SID commented out and a separate .rules file without it commented out, and doubly so if you're trying to threshold those rules using threshold.in.
I was doing this as a way to enable rules that were commented-out by default in rulesets that I downloaded, rather than by modifying the files each time they were pulled down.
We should probably fire off a warning or something if suricata-update encounters a SID that it thinks it already knows about.
Updated by Jason Ish about 7 years ago
- Status changed from New to Assigned
- Priority changed from Normal to High
- Target version set to 1.0.0b1
I plan to add preference to the rule with the highest revision and log an info or warning message when encountered. I’ll do this sooner than later to make it deterministic before the next release.
Updated by Victor Julien over 6 years ago
- Target version deleted (
1.0.0b1) - Affected Versions 1.0.0b1 added
Updated by Victor Julien over 6 years ago
- Target version set to 1.0.0
Since you've mentioned you'd address this before the next release, I thought it'd be safe to assign it to 1.0.0.
Updated by Jason Ish almost 6 years ago
- Priority changed from High to Normal
- Target version set to TBD
Updated by Shivani Bhardwaj over 5 years ago
- Status changed from Assigned to Closed
Updated by Jason Ish over 5 years ago
Shivani: I can't remember why this was closed. Do you?
Updated by Shivani Bhardwaj over 5 years ago
Jason Ish wrote:
I plan to add preference to the rule with the highest revision and log an info or warning message when encountered. I’ll do this sooner than later to make it deterministic before the next release.
Jason, maybe because this was done in https://github.com/OISF/suricata-update/commit/6c87a153bc1b011acdb16dbc17bd1fea07948220 ?
Updated by Jason Ish over 5 years ago
- Target version changed from TBD to 1.1.0rc1
Shivani Bhardwaj wrote:
Jason Ish wrote:
I plan to add preference to the rule with the highest revision and log an info or warning message when encountered. I’ll do this sooner than later to make it deterministic before the next release.
Jason, maybe because this was done in https://github.com/OISF/suricata-update/commit/6c87a153bc1b011acdb16dbc17bd1fea07948220 ?
Ok. Works for me.