Duplicate signature and error parsing signature errors

Help
1

I am trying to create a rule in my OS Ubuntu 22.04 and Suricata 7.0.6.
Here is my rule /var/lib/suricata/rules/CommandInjection.rules

alert http any any -> any any (msg:"Possible Command Injection Detected";flow:established, to_server;content:"chmod 777"; http_uri;classtype:trojan-activity;sid:1000002;rev:1;)

and here is /etc/suricata/suricata.yaml

default-rule-path: /var/lib/suricata/rules

rule-files:
  #- suricata.rules
  - CommandInjection.rules

I am running this command

suricata -r /etc/suricata/tdp/TDP_exploit_CVETEST.pcap -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/CommandInjection.rules

I got the following errors

i: suricata: This is Suricata version 7.0.6 RELEASE running in USER mode
E: detect-parse: Duplicate signature "alert http any any -> any any (msg:"Possible Command Injection Detected";flow:established, to_server;content:"chmod 777"; http_uri;classtype:trojan-activity;sid:1000002;rev:1;)"
E: detect: error parsing signature "alert http any any -> any any (msg:"Possible Command Injection Detected";flow:established, to_server;content:"chmod 777"; http_uri;classtype:trojan-activity;sid:1000002;rev:1;)" from file /var/lib/suricata/rules/CommandInjection.rules at line 1
i: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1   Engine started.
i: suricata: Signal Received.  Stopping engine.
i: pcap: read 1 file, 12 packets, 5056 bytes

I looked here which seems to be same issue that am having and tried to corrected following the suggestions but still getting the same error.

My questions are as follow:

  1. How to get remove duplicate signature error?
  2. How to fix the parsing signature error?
2

If you already list CommandInjection.rules in your suricata.yaml you don’t need to specify it with -s a second time. I presume that’s the reason for your issue – you’re trying to load the same rule set twice, which triggers the duplicate rule alert.
The “parse error” is just how Suricata classifies the error, fixing the above should also remove that line from your output.

1 Like
3

The error is removed in my output.Thank you!!!ʕ•̀ω•́ʔ✧

I have another question.Whether the content in the rules file cannot contain spaces.
If I use the following rule,

alert http any any -> any any (
  msg:"Possible Command Injection Detected";
  flow:established, to_server;
  content:"nohup"; http_uri;
  classtype:trojan-activity;
  sid:1000002;
  rev:1;)

I can see the alert in fast.log.
07/23/2024-03:29:39.532840 [**] [1:1000002:1] Possible Command Injection Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.224.128.83:60458 -> 218.97.47.146:80

If I add " " to my .yaml ,there is no output in fast.log.

alert http any any -> any any (
  msg:"Possible Command Injection Detected";
  flow:established, to_server;
  content:"nohup wget"; http_uri;
  classtype:trojan-activity;
  sid:1000002;
  rev:1;)
4

Try using byte notation for your content keywords, e.g. a space would be |20|.
Can you try content: "nohup|20|wget"?

Also, since you’re looking at http_uri maybe your space was URL-encoded and should be %20? Take a look at what actually is on the wire.

1 Like