Project

General

Profile

Actions

Bug #2372

closed

Non-deterministic behavior when encountering duplicated SIDs

Added by Nick Price almost 7 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Long story short, because suricata-update reads commented-out rules in addition to normal rules, things get really weird if you have one .rules file with a SID commented out and a separate .rules file without it commented out, and doubly so if you're trying to threshold those rules using threshold.in.

I was doing this as a way to enable rules that were commented-out by default in rulesets that I downloaded, rather than by modifying the files each time they were pulled down.

We should probably fire off a warning or something if suricata-update encounters a SID that it thinks it already knows about.

Actions #1

Updated by Jason Ish almost 7 years ago

  • Status changed from New to Assigned
  • Priority changed from Normal to High
  • Target version set to 1.0.0b1

I plan to add preference to the rule with the highest revision and log an info or warning message when encountered. I’ll do this sooner than later to make it deterministic before the next release.

Actions #2

Updated by Victor Julien over 6 years ago

  • Target version deleted (1.0.0b1)
  • Affected Versions 1.0.0b1 added
Actions #3

Updated by Victor Julien about 6 years ago

  • Target version set to 1.0.0

Since you've mentioned you'd address this before the next release, I thought it'd be safe to assign it to 1.0.0.

Actions #4

Updated by Jason Ish almost 6 years ago

  • Target version deleted (1.0.0)
Actions #5

Updated by Jason Ish over 5 years ago

  • Priority changed from High to Normal
  • Target version set to TBD
Actions #6

Updated by Shivani Bhardwaj over 5 years ago

  • Status changed from Assigned to Closed
Actions #7

Updated by Jason Ish about 5 years ago

Shivani: I can't remember why this was closed. Do you?

Actions #8

Updated by Shivani Bhardwaj about 5 years ago

Jason Ish wrote:

I plan to add preference to the rule with the highest revision and log an info or warning message when encountered. I’ll do this sooner than later to make it deterministic before the next release.

Jason, maybe because this was done in https://github.com/OISF/suricata-update/commit/6c87a153bc1b011acdb16dbc17bd1fea07948220 ?

Actions #9

Updated by Jason Ish about 5 years ago

  • Target version changed from TBD to 1.1.0rc1

Shivani Bhardwaj wrote:

Jason Ish wrote:

I plan to add preference to the rule with the highest revision and log an info or warning message when encountered. I’ll do this sooner than later to make it deterministic before the next release.

Jason, maybe because this was done in https://github.com/OISF/suricata-update/commit/6c87a153bc1b011acdb16dbc17bd1fea07948220 ?

Ok. Works for me.

Actions

Also available in: Atom PDF