Project

General

Profile

Actions

Bug #252

closed

no proper error for sigs with duplicate sid's

Added by Victor Julien about 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It kicks one of the sigs out with a generic parsing error:

[17367] 14/12/2010 -- 18:45:05 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2008124; rev:2;)" from file 2008124.rule at line 3

2 problems:
1. it's not a parsing error
2. it doesn't give any useful info on why the sig is rejected.


Files

Actions #1

Updated by Gurvinder Singh about 14 years ago

Attached patch gives error when the duplicate signature is detected.

Actions #2

Updated by Victor Julien about 14 years ago

This doesn't appear to work:

  1. ./src/suricata c suricata2.yaml -s ~/Desktop/duplicate.txt -r null
    [12099] 17/12/2010 -
    10:08:23 - (detect.c:627) <Info> (SigLoadSignatures) -- Loading rule file: /home/victor/Desktop/duplicate.txt
    [12099] 17/12/2010 -- 10:08:23 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any any (sid:1; rev:2;)" from file /home/victor/Desktop/duplicate.txt at line 2
    [12099] 17/12/2010 -
    10:08:23 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any any (sid:1; rev:3;)" from file /home/victor/Desktop/duplicate.txt at line 3
    [12099] 17/12/2010 -
    10:08:23 - (detect.c:653) <Info> (SigLoadSignatures) -- 1 rule files processed. 1 rules succesfully loaded, 2 rules failed

Contents of the file:
alert tcp any any -> any any (sid:1; rev:1;)
alert tcp any any -> any any (sid:1; rev:2;)
alert tcp any any -> any any (sid:1; rev:3;)

As you can see it not only doesn't print the proper error, it also rejects the wrong sigs. The sid 1, rev 3 should be loaded.

Actions #3

Updated by Gurvinder Singh almost 14 years ago

attached is the updated patch for this issue. Thanks Victor for pointing out this case !! Now the output is

[8940] 25/12/2010 -- 14:32:00 - (detect.c:594) <Info> (SigLoadSignatures) -- Loading rule file: b252.rules
[8940] 25/12/2010 -- 14:32:00 - (detect-parse.c:1919) <Warning> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(174)] - Signature with newer revision, so the older sig replaced by this new signature "alert tcp any any > any any (sid:1; rev:2;)"
[8940] 25/12/2010 -
14:32:00 - (detect-parse.c:1919) <Warning> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(174)] - Signature with newer revision, so the older sig replaced by this new signature "alert tcp any any > any any (sid:1; rev:3;)"
[8940] 25/12/2010 -
14:32:00 - (detect.c:625) <Info> (SigLoadSignatures) -- 71 rule files processed. 3 rules succesfully loaded, 0 rules failed
[8940] 25/12/2010 -- 14:32:00 - (detect.c:2068) <Info> (SigAddressPrepareStage1) -- 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only

Actions #4

Updated by Victor Julien almost 14 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 90 to 100

Applied, thanks Gurvinder.

Actions

Also available in: Atom PDF