Project

General

Profile

Actions

Bug #2372

closed

Non-deterministic behavior when encountering duplicated SIDs

Added by Nick Price about 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Long story short, because suricata-update reads commented-out rules in addition to normal rules, things get really weird if you have one .rules file with a SID commented out and a separate .rules file without it commented out, and doubly so if you're trying to threshold those rules using threshold.in.

I was doing this as a way to enable rules that were commented-out by default in rulesets that I downloaded, rather than by modifying the files each time they were pulled down.

We should probably fire off a warning or something if suricata-update encounters a SID that it thinks it already knows about.

Actions

Also available in: Atom PDF