Bug #173: new request for detecting duplicate sig on suricata - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #173

closed

new request for detecting duplicate sig on suricata

Added by rmkml rmkml over 14 years ago. Updated over 14 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Anoop Saldanha

Target version:

1.0.0

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,
If possible, could you add detecting for duplicate sig please?
for example, if I add two file contains same sig, like:
...
- snmp.rules
...
- snmp.rules
...
actually, all sigs in theses files (snmp.rules) generating two alerts...
(Im discover this by error in my test conf)
Maybe it's a good idea for detecting this.
Tested on suricata today git (79443b1991840930ded4b8f09ba6de7b000912d9).
Regards
Rmkml

Files

Download all files

0001-in-case-of-duplicate-signatures-use-the-one-with-the.patch (15.4 KB) 0001-in-case-of-duplicate-signatures-use-the-one-with-the.patch		Anoop Saldanha, 06/22/2010 02:39 AM
0001-in-case-of-duplicate-signatures-used-the-one-with-th.patch (18.7 KB) 0001-in-case-of-duplicate-signatures-used-the-one-with-th.patch		Anoop Saldanha, 06/25/2010 06:33 AM

Actions

Copy link

Updated by Victor Julien over 14 years ago

Due date set to 06/21/2010
Status changed from New to Assigned
Assignee set to Anoop Saldanha
Target version set to 0.9.3
Estimated time set to 4.00 h

Anoop, can you filter out the dub sigs in the signature ordering process? The sig with the highest rev should be used.

Actions

Copy link

Updated by Anoop Saldanha over 14 years ago

Victor Julien wrote:

Anoop, can you filter out the dub sigs in the signature ordering process? The sig with the highest rev should be used.

ya, cool!

Actions

Copy link

Updated by Anoop Saldanha over 14 years ago

File 0001-in-case-of-duplicate-signatures-use-the-one-with-the.patch 0001-in-case-of-duplicate-signatures-use-the-one-with-the.patch added

patch attached against bb9c5ef32f8e8719763678db022064f5f717b1c2

Actions

Copy link

Updated by Victor Julien over 14 years ago

Due date changed from 06/21/2010 to 06/27/2010
Target version changed from 0.9.3 to 1.0.0
% Done changed from 0 to 50
Estimated time changed from 4.00 h to 7.00 h

Thanks Anoop. I'd like to see one change. I want all the duplicate checking logic to be hidden from the normal signature initialization code, especially from DetectEngineAppendSig. In that function I'd like to see just a check like "if (SignatureIsDuplicate(s) == TRUE) { goto free_sig; }". The gory details of the SigWrapper, hash table, etc. can then be hidden all behind that call.

Actions

Copy link