Project

General

Profile

Actions

Bug #252

closed

no proper error for sigs with duplicate sid's

Added by Victor Julien about 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It kicks one of the sigs out with a generic parsing error:

[17367] 14/12/2010 -- 18:45:05 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2008124; rev:2;)" from file 2008124.rule at line 3

2 problems:
1. it's not a parsing error
2. it doesn't give any useful info on why the sig is rejected.


Files

Actions

Also available in: Atom PDF