Support #3530
closedFail to start under widows with [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature
Description
Sorry to brother you ! I installed version 5.0.1 under windows 10 correctly.
I have tested the yaml:D:\suricata>suricata.exe -c suricata.yaml -T
[11412] 16/3/2020 -- 10:44:42 - (win32-service.c:53) <Info> (SCRunningAsService) -- Running as service: no
[11412] 16/3/2020 -- 10:44:42 - (suricata.c:1905) <Info> (ParseCommandLine) -- Running suricata under test mode
[11412] 16/3/2020 -- 10:44:42 - (suricata.c:1083) <Notice> (LogVersion) -- This is Suricata version 5.0.1 RELEASE running in SYSTEM mode
[11412] 16/3/2020 -- 10:44:42 - (suricata.c:3060) <Notice> (main) -- Configuration provided was successfully loaded. Exiting.
Issuing the initial test command: suricata.exe -c suricata.yaml -s D:\suricata\rules\local.rules -i 192.168.0.105
I get the following two repeating error types: SC_ERR_DUPLICATE_SIG(176) - Duplicate signatureSC_ERR_INVALID_SIGNATURE(39) - error parsing signature
D:\suricata>suricata.exe -c suricata.yaml -s D:\suricata\rules\local.rules -i 192.168.0.105
[4308] 16/3/2020 -- 10:29:17 - (win32-service.c:53) <Info> (SCRunningAsService) -- Running as service: no
[4308] 16/3/2020 -- 10:29:20 - (suricata.c:1152) <Info> (ParseCommandLinePcapLive) -- translated 192.168.0.105 to pcap device \Device\NPF_{1ED6D1E9-B4CD-4389-9DDE-DE78FFB2D2B2}
[4308] 16/3/2020 -- 10:29:20 - (suricata.c:1083) <Notice> (LogVersion) -- This is Suricata version 5.0.1 RELEASE running in SYSTEM mode
[4308] 16/3/2020 -- 10:29:20 - (tm-threads.c:2164) <Notice> (TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 4 management threads initialized, engine started.
[4308] 16/3/2020 -- 10:29:20 - (detect-engine.c:4007) <Notice> (DetectEngineReload) -- rule reload starting
[4308] 16/3/2020 -- 10:29:20 - (detect-parse.c:2310) <Error> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http any any -> $EXTERNAL_NET any (msg:"hit baidu.com...";content:"baidu"; reference:url, www.baidu.com; sid:2229998; rev:2;)"
[4308] 16/3/2020 -- 10:29:20 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $EXTERNAL_NET any (msg:"hit baidu.com...";content:"baidu"; reference:url, www.baidu.com; sid:2229998; rev:2;)" from file D:\suricata\rules\local.rules at line 1
[4308] 16/3/2020 -- 10:29:20 - (detect-engine.c:4078) <Notice> (DetectEngineReload) -- rule reload complete
[4308] 16/3/2020 -- 10:29:20 - (suricata.c:2592) <Notice> (PostRunStartedDetectSetup) -- Signature(s) loaded, Detect thread(s) activated.
I have noticed the same problem like mine before. But I didn't get the exactly way to solve it. As I am a newbie into Suricata IDS, can you suggest possible corrections to have it start up properly?
Files
Updated by Peter Manev over 4 years ago
The signature in "from file D:\suricata\rules\local.rules at line 1" is a duplicate with the same signature form another file.
The command switch "-s D:\suricata\rules\local.rules" adds the rules in D:\suricata\rules\local.rules to be loaded in addition to what already is defined in suricata.yaml - i suspect that's why the duplicates.
You can try
"D:\suricata>suricata.exe -c suricata.yaml -T -vvv"
and you will see the signatures it loads (what are they and where they reside, if any)
I assume you installed the MSI ? you can tr 5.0.2 as well as it is the latest stable supported.
Updated by Peter Manev over 4 years ago
Ok , I am not sure I understood.
I think you should have no duplicate errs if you start Suricata with either of the commands below:
suricata.exe -c suricata.yaml -S D:\suricata\rules\local.rules -i 192.168.0.105
or
suricata.exe -c suricata.yaml -i 192.168.0.105
Is that the case?
Updated by Fox Edogawa over 4 years ago
Yes,I used the second one. And it works. But the fast.log sometimes doesn’t have output. Is that normal?
By the way, I got a warning about NIC offloading. I am wondering whether it will cause any problem.
Updated by Peter Manev over 4 years ago
It is not clear to me from that msg (NIC ERR offloading) if ti managed successfully to disable offload or not to be honest.
I recommend checking out eve.json not fast.log
Sometimes it is normal to not have alerts- for example if you dont use the box that you are sniffing on.
Updated by Andreas Herz about 4 years ago
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs