How to solve rule defined twice error in Zeek signature?

191 Views Asked by bhavyaraj At 20 October 2024 at 05:38

I'm trying to learn zeek signature

Signature file name: dns.sig

    signature dns-intel{
ip-proto == udp
dst-port == 53
payload /.*life|.*bar/
event "[Suspicious DNS Query]" }

Zeek file name: myfirst.zeek

event signature_match (state: signature_state, msg: string, data: string) {
    if (state$sig_id == "dns-intel") {
        print fmt ("[Suspicious DNS query] %s", state$conn$dns$query)
    }

I'm getting error in line 5 : rule defined twice. what's the problem here ??

Original Q&A

There are 1 best solutions below

mchen On 21 June 2021 at 09:38

Signature id has to be unique, based on your error code:

error in line 5 : rule defined twice. what's the problem here ??

It might be the case that you have multiple signatures defined with same id: dns-intel in your dns.sig file.

Modify your dns.sig file and make sure each signature has a unique id should fix the error.

I tested your signature and script on my local machine and can run without issue.

How to solve rule defined twice error in Zeek signature?

There are 1 best solutions below

Related Questions in SIGNATURE

Related Questions in RULES

Related Questions in ZEEK

Trending Questions

Popular # Hahtags

Popular Questions