24 7.6: ips error in configd.py

[notspam]

Hello all,
someone here knowing the solution for this behaviour ?
After a while ips service is down.
In the event log i found:

Error   configd.py   Timeout (120) executing : ids list rulemetadata

After the IPS update check there is a traceback in log:

Error   configctl   error in configd communication Traceback (most recent call last): File "/usr/local/sbin/configctl", line 65, in exec_config_cmd line = sock.recv(65536).decode() ^^^^^^^^^^^^^^^^ TimeoutError: timed out

Starting the service manually brings ips back running.
Could soneone give me a hint ?
Thanks in advance.
________
Manual restart is working, but there is an event in the log:
Error   configd.py   [2043d2f8-7089-4509-bd8f-3920fc2e6bac] returned exit status 1

[notspam]

Problem might be duplicate signature entries:
The question is how to fix it ?


   [100878] <Error> -- Duplicate signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed"; flow:established,to_client; tls.certs; content:"|31 0b 30 09 06 03 55 04 06 13 02|US|31 11 30 0f 06 03 55 04 08 13 08|Illinois|31 13 30 11 06 03 55 04 07 13 0a|Naperville|31 09 30 07 06 03 55 04 09 13 00 31 0d 30 0b 06 03 55 04 11 13 04|"; fast_pattern; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037378; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, malware_family Sliver, malware_family Havoc, performance_impact Low, signature_severity Major, updated_at 2024_01_03;)"

[notspam]

How to fix this duplicated entries ?

2024-10-21T19:49:31   Error   suricata   [100756] <Error> -- error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; http.header; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)" from file /usr/local/etc/suricata/opnsense.rules/et_open.emerging-chat.rules at line 190   

2024-10-21T19:49:31   Error   suricata   [100756] <Error> -- Duplicate signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; http.header; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)"

[someone]

would have to look at config file line 65
just a thought was it a auto update that didnt make connection

[jonny5]

Also have noticed/seen the same error

It seems the rule build/move time period has expanded but I also think the log line "timeout" hits before 120 seconds has passed