[Oisf-users] duplicate signature

Vieri rentorbuy at yahoo.com
Wed Feb 22 11:51:12 UTC 2017


Hi,

I'd like to know why Suricata reports a duplicate signature below.

22/2/2017 -- 12:42:15 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:"obnoxious GeoIP block"; geoip:src,!US,CA,EU,ES,PT,FR,DE,GB,IT,BE; sid:5000001; rev:1;)"
22/2/2017 -- 12:42:15 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:"obnoxious GeoIP block"; geoip:src,!US,CA,EU,ES,PT,FR,DE,GB,IT,BE; sid:5000001; rev:1;)" from file /etc/suricata/rules/local.rules at line 1

# grep 5000001 /etc/suricata/rules/*
/etc/suricata/rules/local.rules:drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:"obnoxious GeoIP block"; geoip:src,!US,CA,EU,ES,PT,FR,DE,GB,IT,BE; sid:5000001; rev:1;)

# tail -f /var/log/suricata/eve.json
{"timestamp":"2017-02-22T12:44:18.144273+0100","flow_id":1024566488085393,"event_type":"drop","src_ip":"178.159.112.175","src_port":62533,"dest_ip":"10.215.246.24","dest_port":3389,"proto":"TCP","drop":{"len":52,"tos":0,"ttl":113,"ipid":15721,"tcpseq":3986980938,"tcpack":0,"tcpwin":8192,"syn":true,"ack":false,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":5000001,"rev":1,"signature":"obnoxious GeoIP block","category":"","severity":3}}

# geoiplookup 178.159.112.175
GeoIP Country Edition: UA, Ukraine
GeoIP City Edition, Rev 1: UA, 11, Krym, Simferopol, N/A, 44.957199, 34.110802, 0, 0
GeoIP ASNum Edition: AS48330 FOP Sinev Maksim Viktorovich

# suricata -V
This is Suricata version 3.2.1 RELEASE

So the signature seems to be in use, despite the error messages.

I'd still like to know how I can get rid of these error messages.

Thanks,

Vieri


More information about the Oisf-users mailing list