[Bro] Signatures on upgrade from 2.4 to 2.5

Jon Siwek jsiwek at corelight.com
Mon Apr 23 13:57:02 PDT 2018


The custom signature could have worked under 2.4 while in 2.5 we may 
have introduced a signature in Bro itself whose name conflicts with your 
custom one.  That's why I suggest comparing the signature that's the 
source of that error message with the signatures in all the *.sig files 
that ship w/ Bro 2.5's code and then changing the name of the custom 
rule to avoid conflicts.

- Jon

On 4/23/18 3:43 PM, Carl Rotenan wrote:
> If this a new behavior, I'm fairly sure under 2.4 this is working.
> 
> On Mon, Apr 23, 2018 at 4:16 PM, Jon Siwek <jsiwek at corelight.com 
> <mailto:jsiwek at corelight.com>> wrote:
> 
> 
> 
>     On 4/23/18 2:38 PM, Carl Rotenan wrote:
> 
>         I'm upgrading a system from from 2.4 to 2.5 and have a question
>         about signatures. I'm getting an error under 2.5 when I try
>         implementing my 2.4 signatures:
> 
>         error: Error in signature
>         (/opt/bro/share/bro/foo/./signatures.sig:654): rule defined twice
> 
> 
>     Have you checked if the name of the rule on line 654 of that file
>     conflicts with the name of a rule provided in one of Bro's *.sig files ?
> 
>     If it does, then renaming it should be straightforward (if the
>     signature generates an event whose name also now conflicts with an
>     event in Bro, you may need to change that also).
> 
>     - Jon
> 
> 


More information about the Bro mailing list