I’m upgrading a system from from 2.4 to 2.5 and have a question about signatures. I’m getting an error under 2.5 when I try implementing my 2.4 signatures:
error: Error in signature (/opt/bro/share/bro/foo/./signatures.sig:654): rule defined twice
Thanks as always,
Have you checked if the name of the rule on line 654 of that file conflicts with the name of a rule provided in one of Bro's *.sig files ?
If it does, then renaming it should be straightforward (if the signature generates an event whose name also now conflicts with an event in Bro, you may need to change that also).
If this a new behavior, I’m fairly sure under 2.4 this is working.
The custom signature could have worked under 2.4 while in 2.5 we may have introduced a signature in Bro itself whose name conflicts with your custom one. That's why I suggest comparing the signature that's the source of that error message with the signatures in all the *.sig files that ship w/ Bro 2.5's code and then changing the name of the custom rule to avoid conflicts.