[Oisf-users] duplicate signature
Vieri
rentorbuy at yahoo.com
Wed Feb 22 12:45:11 UTC 2017
----- Original Message -----
From: David Wharton <oisf at davidwharton.us>
>
> Usually this happens when you have multiple signatures with the same
> sid. Where else are you loading rules from? Try grepping all the rules
> files that Suricata is loading.
I already searched for an identical SID in the rules dir:
# grep 5000001 /etc/suricata/rules/*
/etc/suricata/rules/local.rules:drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:"obnoxious GeoIP block"; geoip:src,!US,CA,EU,ES,PT,FR,DE,GB,IT,BE; sid:5000001; rev:1;)
No duplicates there.
Suricata takes its rules from /etc/suricata/rules/*.rules only.
I tried increasing -vvvvvv but I'm not getting useful information. It would come in handy to know which are the duplicate SIDs, if any, or what is really triggering SC_ERR_DUPLICATE_SIG.
What else do you suggest I grep for in the rules files?
Vieri
More information about the Oisf-users
mailing list