[Oisf-users] duplicate signature
Victor Julien
lists at inliniac.net
Wed Feb 22 12:46:58 UTC 2017
On 22-02-17 13:45, Vieri wrote:
>
>
>
>
> ----- Original Message -----
> From: David Wharton <oisf at davidwharton.us>
>>
>> Usually this happens when you have multiple signatures with the same
>> sid. Where else are you loading rules from? Try grepping all the rules
>
>> files that Suricata is loading.
>
> I already searched for an identical SID in the rules dir:
>
> # grep 5000001 /etc/suricata/rules/*
> /etc/suricata/rules/local.rules:drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:"obnoxious GeoIP block"; geoip:src,!US,CA,EU,ES,PT,FR,DE,GB,IT,BE; sid:5000001; rev:1;)
>
> No duplicates there.
>
> Suricata takes its rules from /etc/suricata/rules/*.rules only.
>
> I tried increasing -vvvvvv but I'm not getting useful information. It would come in handy to know which are the duplicate SIDs, if any, or what is really triggering SC_ERR_DUPLICATE_SIG.
>
>
> What else do you suggest I grep for in the rules files?
>
Could you be loading the same rule file twice?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list