Fix Duplicate signature and error parsing signature errors

I am trying to create custom rules in my VB OS Ubuntu 22.04 and Suricata 6.0.9.

here is my cat /etc/suricata/rules/testAttempt.rules

#alert dns $HOME_NET any -> $EXTERNAL_NET 53 (msg: "PayPal phishing is possibly detected ..."; dns_query; content:"paypal.com"; nocase; isdataat:1,relative; sid:1000001; rev:1;)

#alert dns $HOME_NET any -> $EXTERNAL_NET 53 (msg: "PayPal phishing is possibly detected ..."; dns_query; content:"paypal.com"; nocase; isdataat:1,relative; sid:1000002; rev:1;)


#alert dns any any -> any any (msg:"DNS LOOKUP for put my dnsName.com"; dns.query; content:"www.bing.com"; nocase; sid:1000003;)

alert dns any any -> any any (msg:"DNS Lookup for www.bing.com with update"; dns.query; content:"www.bing.com"; nocase; sid:1000004; rev:2;)

and here is cat /etc/suricata/suricata.yaml

#default-rule-path: /var/lib/suricata/rules
default-rule-path: /var/lib/suricata/rules


rule-files:
  - suricata.rules
  - /etc/suricata/rules/testAttempt.rules

I am running this command I got the following errors: suricata -r ~/Downloads/path/to.pcap -s /etc/suricata/rules/testAttempt.rules -k none

 <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert dns any any -> any any (msg:"DNS Lookup for www.bing.com with update"; dns.query; content:"www.bing.com"; nocase; sid:1000004; rev:2;)"

10/2/2023 -- 04:55:40 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"DNS Lookup for www.bing.com with update"; dns.query; content:"www.bing.com"; nocase; sid:1000004; rev:2;)" from file /etc/suricata/rules/testAttempt.rules at line 11

I am using pcap from here workshop-part-05-04.pcap

I looked here which seems to be same issue that am having and tried to corrected following the suggestions but still getting the same error

My questions are as follow:
1 - how to get remove duplicate signature error?

I tried to comment out / change the uid and the rev but still getting this error

2 - How to fix the parsing signature error?

Hi,

I believe you may be able to resolve this simply by running suricata -r ~/Downloads/path/to.pcap -S /etc/suricata/rules/testAttempt.rules -k none

The difference as described in the man page:

-s <filename.rules>
With the -s option you can set a file with signatures, which will be loaded
together with the rules set in the yaml.

          It is possible to use globbing when specifying rules files.  For  example,  -s
          '/path/to/rules/*.rules'

   -S <filename.rules>
          With  the  -S  option you can set a file with signatures, which will be loaded
          exclusively, regardless of the rules set in the yaml.

          It is possible to use globbing when specifying rules files.  For  example,  -S
          '/path/to/rules/*.rules'

So I do not know if you noticed but I do have a -s in my line. I have tried it with a capital -S as you suggested but still same issue. Though in the fast.log alert are showing for some of the rules

Can you share your Suricata configuration file?

Can you share /etc/suricata/rules/testAttempt.rules?

Suricata determines rules are identical if the identifier (sid) and generator id (gid) are the same.