Project

General

Profile

Bug #2372

Non-deterministic behavior when encountering duplicated SIDs

Added by Nick Price over 3 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Long story short, because suricata-update reads commented-out rules in addition to normal rules, things get really weird if you have one .rules file with a SID commented out and a separate .rules file without it commented out, and doubly so if you're trying to threshold those rules using threshold.in.

I was doing this as a way to enable rules that were commented-out by default in rulesets that I downloaded, rather than by modifying the files each time they were pulled down.

We should probably fire off a warning or something if suricata-update encounters a SID that it thinks it already knows about.

#1

Updated by Jason Ish over 3 years ago

  • Status changed from New to Assigned
  • Priority changed from Normal to High
  • Target version set to 1.0.0b1

I plan to add preference to the rule with the highest revision and log an info or warning message when encountered. I’ll do this sooner than later to make it deterministic before the next release.

#2

Updated by Victor Julien over 2 years ago

  • Target version deleted (1.0.0b1)
  • Affected Versions 1.0.0b1 added
#3

Updated by Victor Julien over 2 years ago

  • Target version set to 1.0.0

Since you've mentioned you'd address this before the next release, I thought it'd be safe to assign it to 1.0.0.

#4

Updated by Jason Ish over 2 years ago

  • Target version deleted (1.0.0)
#5

Updated by Jason Ish about 2 years ago

  • Priority changed from High to Normal
  • Target version set to Soon
#6

Updated by Shivani Bhardwaj almost 2 years ago

  • Status changed from Assigned to Closed
#7

Updated by Jason Ish over 1 year ago

Shivani: I can't remember why this was closed. Do you?

#8

Updated by Shivani Bhardwaj over 1 year ago

Jason Ish wrote:

I plan to add preference to the rule with the highest revision and log an info or warning message when encountered. I’ll do this sooner than later to make it deterministic before the next release.

Jason, maybe because this was done in https://github.com/OISF/suricata-update/commit/6c87a153bc1b011acdb16dbc17bd1fea07948220 ?

#9

Updated by Jason Ish over 1 year ago

  • Target version changed from Soon to 1.1.0rc1

Shivani Bhardwaj wrote:

Jason Ish wrote:

I plan to add preference to the rule with the highest revision and log an info or warning message when encountered. I’ll do this sooner than later to make it deterministic before the next release.

Jason, maybe because this was done in https://github.com/OISF/suricata-update/commit/6c87a153bc1b011acdb16dbc17bd1fea07948220 ?

Ok. Works for me.

Also available in: Atom PDF