Bug #252
closedno proper error for sigs with duplicate sid's
Description
It kicks one of the sigs out with a generic parsing error:
[17367] 14/12/2010 -- 18:45:05 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2008124; rev:2;)" from file 2008124.rule at line 3
2 problems:
1. it's not a parsing error
2. it doesn't give any useful info on why the sig is rejected.
Files
Updated by Gurvinder Singh over 13 years ago
- File 0001-give-error-on-duplicate-signature-telling-the-same.patch 0001-give-error-on-duplicate-signature-telling-the-same.patch added
- Status changed from New to Resolved
Attached patch gives error when the duplicate signature is detected.
Updated by Victor Julien over 13 years ago
This doesn't appear to work:
- ./src/suricata
c suricata2.yaml -s ~/Desktop/duplicate.txt -r null10:08:23 - (detect.c:627) <Info> (SigLoadSignatures) -- Loading rule file: /home/victor/Desktop/duplicate.txt
[12099] 17/12/2010 -
[12099] 17/12/2010 -- 10:08:23 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any> any any (sid:1; rev:2;)" from file /home/victor/Desktop/duplicate.txt at line 210:08:23 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any
[12099] 17/12/2010 -> any any (sid:1; rev:3;)" from file /home/victor/Desktop/duplicate.txt at line 310:08:23 - (detect.c:653) <Info> (SigLoadSignatures) -- 1 rule files processed. 1 rules succesfully loaded, 2 rules failed
[12099] 17/12/2010 -
Contents of the file:
alert tcp any any -> any any (sid:1; rev:1;)
alert tcp any any -> any any (sid:1; rev:2;)
alert tcp any any -> any any (sid:1; rev:3;)
As you can see it not only doesn't print the proper error, it also rejects the wrong sigs. The sid 1, rev 3 should be loaded.
Updated by Gurvinder Singh over 13 years ago
- File 0001-log-error-on-duplicate-sig-and-also-for-dup-sig-with.patch 0001-log-error-on-duplicate-sig-and-also-for-dup-sig-with.patch added
- % Done changed from 0 to 90
attached is the updated patch for this issue. Thanks Victor for pointing out this case !! Now the output is
[8940] 25/12/2010 -- 14:32:00 - (detect.c:594) <Info> (SigLoadSignatures) -- Loading rule file: b252.rules
[8940] 25/12/2010 -- 14:32:00 - (detect-parse.c:1919) <Warning> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(174)] - Signature with newer revision, so the older sig replaced by this new signature "alert tcp any any > any any (sid:1; rev:2;)" 14:32:00 - (detect-parse.c:1919) <Warning> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(174)] - Signature with newer revision, so the older sig replaced by this new signature "alert tcp any any
[8940] 25/12/2010 -> any any (sid:1; rev:3;)" 14:32:00 - (detect.c:625) <Info> (SigLoadSignatures) -- 71 rule files processed. 3 rules succesfully loaded, 0 rules failed
[8940] 25/12/2010 -
[8940] 25/12/2010 -- 14:32:00 - (detect.c:2068) <Info> (SigAddressPrepareStage1) -- 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
Updated by Victor Julien about 13 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Applied, thanks Gurvinder.