[Bro] Signatures on upgrade from 2.4 to 2.5
Jon Siwek
jsiwek at corelight.com
Mon Apr 23 13:57:02 PDT 2018
The custom signature could have worked under 2.4 while in 2.5 we may
have introduced a signature in Bro itself whose name conflicts with your
custom one. That's why I suggest comparing the signature that's the
source of that error message with the signatures in all the *.sig files
that ship w/ Bro 2.5's code and then changing the name of the custom
rule to avoid conflicts.
- Jon
On 4/23/18 3:43 PM, Carl Rotenan wrote:
> If this a new behavior, I'm fairly sure under 2.4 this is working.
>
> On Mon, Apr 23, 2018 at 4:16 PM, Jon Siwek <jsiwek at corelight.com
> <mailto:jsiwek at corelight.com>> wrote:
>
>
>
> On 4/23/18 2:38 PM, Carl Rotenan wrote:
>
> I'm upgrading a system from from 2.4 to 2.5 and have a question
> about signatures. I'm getting an error under 2.5 when I try
> implementing my 2.4 signatures:
>
> error: Error in signature
> (/opt/bro/share/bro/foo/./signatures.sig:654): rule defined twice
>
>
> Have you checked if the name of the rule on line 654 of that file
> conflicts with the name of a rule provided in one of Bro's *.sig files ?
>
> If it does, then renaming it should be straightforward (if the
> signature generates an event whose name also now conflicts with an
> event in Bro, you may need to change that also).
>
> - Jon
>
>
More information about the Bro
mailing list