[Oisf-users] suricata-update - Found duplicate rule SID

Jeff Dyke jeff.dyke at gmail.com
Wed Oct 23 20:46:37 UTC 2019 

after upgrading to Suricata 5, i started (Found duplicate rule SID) to get
this error when running suricata-update for a few hundred rules.

when i grep /var/lib/suricata i only see that is in the cache, then in
suricata.rules
$> grep 2522562 -r /var/lib/suricata
/var/lib/suricata/update/cache/75d428548318a4494b79d33285ab80cc-tor.rules:alert
tcp
[82.221.128.191,82.221.131.102,82.221.131.161,82.221.131.5,82.221.131.71,82.221.139.190,82.221.141.96,82.223.14.245,82.223.17.164,82.223.36.196]
any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node
Traffic group 563"; reference:url,
doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit,
track by_src, seconds 60, count 1; classtype:misc-attack;
flowbits:set,ET.TorIP; sid:2522562; rev:3855; metadata:affected_product
Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity
Audit, created_at 2008_12_01, updated_at 2019_10_22;)
/var/lib/suricata/rules/suricata.rules:drop tcp
[82.221.128.191,82.221.131.102,82.221.131.161,82.221.131.5,82.221.131.71,82.221.139.190,82.221.141.96,82.223.14.245,82.223.17.164,82.223.36.196]
any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node
Traffic group 563"; reference:url,
doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit,
track by_src, seconds 60, count 1; classtype:misc-attack;
flowbits:set,ET.TorIP; sid:2522562; rev:3855; metadata:affected_product
Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity
Audit, created_at 2008_12_01, updated_at 2019_10_22;)

I see, in python, where the error is coming from, but thats the easy part,
but i'm not sure where the additional rule is.  I tried to clear the cache,
not really thinking it would help.  The majority of these are coming from
files that i apply a drop modification to (this one is TOR) in case that
helps.  I do this with group:tor.rules.

Thanks for any pointers, its not a huge deal since its a warning, but would
like to clean it up.

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191023/818ec294/attachment.html>

More information about the Oisf-users mailing list