[Oisf-users] suricata-update - duplicate rules

Jeff Dyke jeff.dyke at gmail.com
Tue Feb 11 22:31:19 UTC 2020

Hi all.  just a pesky ton of warnings here, but makes it very hard to see
the outcome of my rules updates.

It seemscd nearly all TOR endpoint rules are repeated in a couple files:
zgrep "sid:2522724" /var/lib/suricata/update/cache/*

file (standard input) matches
file (standard input) matches
any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node
Traffic group 725"; reference:url,
doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit,
track by_src, seconds 60, count 1; classtype:misc-attack;
flowbits:set,ET.TorIP; sid:2522724; rev:3969; metadata:affected_product
Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity
Audit, created_at 2008_12_01, updated_at 2020_02_10;)

This leads to a few thousand warning messages saying its either keeping the
first rule, or the one with the higher revision.

I don't have any strict rule that says to download tor.rules and its not in
index.yaml, but i do want it, this has been going on for a few months, but
ran into another issue today (now fixed) and wanted to revisit this.  In
drop.conf i have a group:tor.rules, so the entire set will be dropped.

I have tried completely clearning the cache, including index.yaml, but the
issue persists.  I have extracted the tar file to make sure it was not a
grep mistake and indeed there is a tor.rules file in the tar.gz.

Any thoughts would be welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200211/8e7d160f/attachment.html>

More information about the Oisf-users mailing list