Signatures on upgrade from 2.4 to 2.5


I’m upgrading a system from from 2.4 to 2.5 and have a question about signatures. I’m getting an error under 2.5 when I try implementing my 2.4 signatures:

error: Error in signature (/opt/bro/share/bro/foo/./signatures.sig:654): rule defined twice

Any thoughts?

Thanks as always,


Have you checked if the name of the rule on line 654 of that file conflicts with the name of a rule provided in one of Bro's *.sig files ?

If it does, then renaming it should be straightforward (if the signature generates an event whose name also now conflicts with an event in Bro, you may need to change that also).

- Jon

If this a new behavior, I’m fairly sure under 2.4 this is working.

The custom signature could have worked under 2.4 while in 2.5 we may have introduced a signature in Bro itself whose name conflicts with your custom one. That's why I suggest comparing the signature that's the source of that error message with the signatures in all the *.sig files that ship w/ Bro 2.5's code and then changing the name of the custom rule to avoid conflicts.

- Jon