[Oisf-users] suricata-update - duplicate rules

Jeff Dyke jeff.dyke at gmail.com
Tue Feb 11 22:31:19 UTC 2020 

Hi all.  just a pesky ton of warnings here, but makes it very hard to see
the outcome of my rules updates.

It seemscd nearly all TOR endpoint rules are repeated in a couple files:
zgrep "sid:2522724" /var/lib/suricata/update/cache/*

/var/lib/suricata/update/cache/1168f1cf2d4676c8d507bbb6ea3b2078-emerging.rules.tar.gz:Binary
file (standard input) matches
/var/lib/suricata/update/cache/516fa5b7fcd8f6763fc790bd541e2083-emerging.rules.tar.gz:Binary
file (standard input) matches
/var/lib/suricata/update/cache/75d428548318a4494b79d33285ab80cc-tor.rules:alert
tcp
[95.216.14.222,95.216.144.113,95.216.145.127,95.216.146.117,95.216.149.161,95.216.154.135,95.216.159.70,95.216.160.102,95.216.164.6,95.216.168.133]
any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node
Traffic group 725"; reference:url,
doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit,
track by_src, seconds 60, count 1; classtype:misc-attack;
flowbits:set,ET.TorIP; sid:2522724; rev:3969; metadata:affected_product
Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity
Audit, created_at 2008_12_01, updated_at 2020_02_10;)

This leads to a few thousand warning messages saying its either keeping the
first rule, or the one with the higher revision.

I don't have any strict rule that says to download tor.rules and its not in
index.yaml, but i do want it, this has been going on for a few months, but
ran into another issue today (now fixed) and wanted to revisit this.  In
drop.conf i have a group:tor.rules, so the entire set will be dropped.

I have tried completely clearning the cache, including index.yaml, but the
issue persists.  I have extracted the tar file to make sure it was not a
grep mistake and indeed there is a tor.rules file in the tar.gz.

Any thoughts would be welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200211/8e7d160f/attachment.html>

More information about the Oisf-users mailing list