[Oisf-users] duplicate signature

Vieri rentorbuy at yahoo.com
Wed Feb 22 12:45:11 UTC 2017

----- Original Message -----
From: David Wharton <oisf at davidwharton.us>
> Usually this happens when you have multiple signatures with the same
> sid.  Where else are you loading rules from?  Try grepping all the rules

> files that Suricata is loading.

I already searched for an identical SID in the rules dir:

# grep 5000001 /etc/suricata/rules/*
/etc/suricata/rules/local.rules:drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:"obnoxious GeoIP block"; geoip:src,!US,CA,EU,ES,PT,FR,DE,GB,IT,BE; sid:5000001; rev:1;)

No duplicates there.

Suricata takes its rules from /etc/suricata/rules/*.rules only.

I tried increasing -vvvvvv but I'm not getting useful information. It would come in handy to know which are the duplicate SIDs, if any, or what is really triggering SC_ERR_DUPLICATE_SIG.

What else do you suggest I grep for in the rules files?


More information about the Oisf-users mailing list