Support #3506
closedErrors while starting up 5.0.2 on Centos 7.7.1908
Description
Hello to all! I installed version 5.0.2 from source in Centos 7.7.1908 following this guide:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation
with install-full option and no errors or warnings
Issuing the initial test command:
sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i enp7s0
I get the following two repeating error types
SC_ERR_DUPLICATE_SIG(176)
SC_ERR_INVALID_SIGNATURE(39)
each for a different rule:
[30678] 28/2/2020 -- 15:07:12 - (detect-parse.c:2313) <Error> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004002; classtype:web-application-attack; sid:2004002; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)"
[30678] 28/2/2020 -- 15:07:12 - (detect-engine-loader.c:185) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004002; classtype:web-application-attack; sid:2004002; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)" from file /var/lib/suricata/rules/suricata.rules at line 1
As I am a newbie into Suricata IDS, can you suggest possible corrections to have it start up properly?
Files
Updated by Athanasios Viennas about 4 years ago
- File suricata-build-info.txt suricata-build-info.txt added
<<build-info>>
Updated by Athanasios Viennas about 4 years ago
<<INSTALL-OUTPUT>>
Updated by Andreas Herz about 4 years ago
- Status changed from New to Feedback
- Assignee set to Athanasios Viennas
- Priority changed from High to Normal
What does `grep 2004002 /var/lib/suricata/rules/suricata.rules` say? it's an issue with the rules in your rulefile.
Updated by Athanasios Viennas about 4 years ago
Andreas Herz wrote in #note-4:
What does `grep 2004002 /var/lib/suricata/rules/suricata.rules` say? it's an issue with the rules in your rulefile.
Hello! Thank you very much for the follow-up and guidance. I did a stupid thing to shutdown the computer that has this setup, but asked somebody who has access to the office to turn it on so that I can remotely connect and forward the output and any further info required. I hope I am lucky with this to get back to this before Tuesday as Monday is locally a bank holiday (Ash Monday).
Updated by Athanasios Viennas about 4 years ago
Athanasios Viennas wrote in #note-5:
Andreas Herz wrote in #note-4:
What does `grep 2004002 /var/lib/suricata/rules/suricata.rules` say? it's an issue with the rules in your rulefile.
Hello! Thank you very much for the follow-up and guidance. I did a stupid thing to shutdown the computer that has this setup, but asked somebody who has access to the office to turn it on so that I can remotely connect and forward the output and any further info required. I hope I am lucky with this to get back to this before Tuesday as Monday is locally a bank holiday (Ash Monday).
the command output was
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004002; classtype:web-application-attack; sid:2004002; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)
Updated by Andreas Herz over 3 years ago
This works for me, can you try this again with an update?
I did pass this one rule via `-S /tmp/foo.rules` and nothing complained.
Updated by Andreas Herz about 2 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs