Duplicate/invalid rules

[planetf1]

I have suricata IDS running under opnsense.

I currently have all the ET Telemetry (proofpoint) rules enabled, along with abuse.ch

In my log I see many signature warnings ie:

2024-05-23T16:10:05   Error   suricata   [100953] <Error> -- error parsing signature "alert dns $HOME_NET any -> any any (msg:"ET COINMINER Observed DNS Query to Browser Coinminer (crypto-loot[.]com)"; dns.query; content:"crypto-loot.com"; endswith; classtype:coin-mining; sid:2024828; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-coinminer.rules at line 62   
2024-05-23T16:10:05   Error   suricata   [100953] <Error> -- Duplicate signature "alert dns $HOME_NET any -> any any (msg:"ET COINMINER Observed DNS Query to Browser Coinminer (crypto-loot[.]com)"; dns.query; content:"crypto-loot.com"; endswith; classtype:coin-mining; sid:2024828; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)"

There are 10,000s or more of these.

When I look on disk, I see that I do have 2 files with this sid in
* /usr/local/etc/suricata/opnsense.rules/emerging-coinminer.rules
* /usr/local/etc/suricata/rules/emerging-coinminer.rules

In suricata.yaml I see:

default-rule-path: /usr/local/etc/suricata/opnsense.rules

I'm not sure on the process here, I am guessing one copy is the raw download, the other may be after modifications? But if so, why are these errors being reported on suricata startup? I'd presume it would only look at the opnsense.rules directory?

[someone]

First line says cant parse
Sometimes its an error in the rule, sometimes syntax, setup, language
I first ran into this back when I was converting snort ET rules to suricata rules
Cant run snort rules on suricata and vice versa

[someone]

Just so you know I get them also
I dont delete them
I try and fix them
I have fixed many
Sometimes its simple, syntax, punctuation

[someone]

Sorry your having trouble
Opnsense will set up your rules, done in proper order, no trouble
One of the paths you gave is the rule directory, not sure about the other
But it doesnt matter as opnsense will load correctly by default
You should not have that trouble with duplicates, not sure how you got them
Dont download them twice, it handles updates by default

[someone]

You didnt mention which version you are using
Version 24 is running very smooth
I had a few problems with earlier version, nothing serious

[MagikMark]

I get these also in OpnSense and pfSene.  The maintainer of suricata in pfsense said that this is because some rules and designed for Snort which may not be compatible with Suricata

[notspam]

- clean install of 24.7
- update to 24.7.6
- install the whole plugins like suricata
- enable rules
- save
- download and install
- activate service as ips
- perhaps i press hours later the "download and install" button again

result:
- dozens of duplicate entries
- instable ips service

=> how can i fix this ?
=> how is the misbehaviour fixes in future releases ?

Thanks for your help and your hard work @ opnsense

[guenti_r]

This issue shows up when the etpro-telemetry & os-intrusion-detection-content-et-open is installed and the etpro-sensor is switched to et_open because of connectivity issues.
So you have two different et-open sets.

See https://forum.opnsense.org/index.php?topic=45112.0