Bug #252
closed
no proper error for sigs with duplicate sid's
Added by Victor Julien over 13 years ago.
Updated about 13 years ago.
Description
It kicks one of the sigs out with a generic parsing error:
[17367] 14/12/2010 -- 18:45:05 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2008124; rev:2;)" from file 2008124.rule at line 3
2 problems:
1. it's not a parsing error
2. it doesn't give any useful info on why the sig is rejected.
Files
Attached patch gives error when the duplicate signature is detected.
This doesn't appear to work:
- ./src/suricata
c suricata2.yaml -s ~/Desktop/duplicate.txt -r null
[12099] 17/12/2010 - 10:08:23 - (detect.c:627) <Info> (SigLoadSignatures) -- Loading rule file: /home/victor/Desktop/duplicate.txt
[12099] 17/12/2010 -- 10:08:23 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any any (sid:1; rev:2;)" from file /home/victor/Desktop/duplicate.txt at line 2
[12099] 17/12/2010 - 10:08:23 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any > any any (sid:1; rev:3;)" from file /home/victor/Desktop/duplicate.txt at line 3
[12099] 17/12/2010 - 10:08:23 - (detect.c:653) <Info> (SigLoadSignatures) -- 1 rule files processed. 1 rules succesfully loaded, 2 rules failed
Contents of the file:
alert tcp any any -> any any (sid:1; rev:1;)
alert tcp any any -> any any (sid:1; rev:2;)
alert tcp any any -> any any (sid:1; rev:3;)
As you can see it not only doesn't print the proper error, it also rejects the wrong sigs. The sid 1, rev 3 should be loaded.
attached is the updated patch for this issue. Thanks Victor for pointing out this case !! Now the output is
[8940] 25/12/2010 -- 14:32:00 - (detect.c:594) <Info> (SigLoadSignatures) -- Loading rule file: b252.rules
[8940] 25/12/2010 -- 14:32:00 - (detect-parse.c:1919) <Warning> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(174)] - Signature with newer revision, so the older sig replaced by this new signature "alert tcp any any > any any (sid:1; rev:2;)"
[8940] 25/12/2010 - 14:32:00 - (detect-parse.c:1919) <Warning> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(174)] - Signature with newer revision, so the older sig replaced by this new signature "alert tcp any any > any any (sid:1; rev:3;)"
[8940] 25/12/2010 - 14:32:00 - (detect.c:625) <Info> (SigLoadSignatures) -- 71 rule files processed. 3 rules succesfully loaded, 0 rules failed
[8940] 25/12/2010 -- 14:32:00 - (detect.c:2068) <Info> (SigAddressPrepareStage1) -- 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Applied, thanks Gurvinder.
Also available in: Atom
PDF