SO-MISP rule update failure

[Apexynn]

Hi all,

We have recently deployed Security Onion(Version: 2.3.260) into two of our client's infrastructure.
Everything went smoothly, however when we wanted to integrate MISP(Version: MISP 2.4.166) into it via "https://github.com/weslambert/securityonion-misp" the so-rule-update command started to fail giving us the following output:

so-rule-update
2023-08-21 12:25:30,642 - - Loading ./rulecat.conf.
2023-08-21 12:25:30,645 - - Forcing Suricata version to 6.0.
2023-08-21 12:25:30,646 - - Fetching https://rules.emergingthreats.net/open/suricata-6.0.0/emerging.rules.tar.gz.
100% - 4022294/4022294
2023-08-21 12:25:32,404 - - Done.
2023-08-21 12:25:32,641 - - Ignoring file rules/emerging-deleted.rules
2023-08-21 12:25:32,641 - - Loading local file /opt/so/rules/nids/local.rules
2023-08-21 12:25:32,641 - - Loading local file /opt/so/rules/nids/misp.rules
2023-08-21 12:25:41,224 - - failed to parse rule:
Traceback (most recent call last):
File "/usr/local/bin/idstools-rulecat", line 12, in
sys.exit(main())
File "/usr/local/lib/python3.9/site-packages/idstools/scripts/rulecat.py", line 861, in main
rules += idstools.rule.parse_fileobj(
File "/usr/local/lib/python3.9/site-packages/idstools/rule.py", line 361, in parse_fileobj
rule = parse(buf + line, group)
File "/usr/local/lib/python3.9/site-packages/idstools/rule.py", line 301, in parse
raise Exception("end of option not found: %s" % (buf))
Exception: end of option not found: alert tcp $EXTERNAL_NET any > $HOME_NET any (msg:"CVE20155122: Adobe Flash Exploit (Memory Corruption)"; flow:from_server,established; content:"|43 57 53|"; content:"|c9 66 3d 21 24 49 68 69 69 39 12 61 04 4a 49 4e|"; offset:127; sid:9931892; rev:2;)_

We tried the following:

• Overwrite ";" to semicolons, ended up with a different issue: File "/usr/local/bin/idstools-rulecat", line 12, in
  sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/idstools/scripts/rulecat.py", line 861, in main
  rules += idstools.rule.parse_fileobj(
  File "/usr/local/lib/python3.9/site-packages/idstools/rule.py", line 361, in parse_fileobj
  rule = parse(buf + line, group)
  File "/usr/local/lib/python3.9/site-packages/idstools/rule.py", line 317, in parse
  rule[name] = int(val)
  ValueError: invalid literal for int() with base 10: 'XX'

The rule file also overwrites itself after the daily cronjob runs.

• Tried to disable the SID from both MISP(by unticking the IDS box) and SO(with the "so-rule disabled" command). The issue still remained.
• Completely removed the integration between MISP and SO, then the error disappeared.

Could you help me with this one please?

Thank you in advance!

Best regards,
Richard

[weslambert]

What version of MISP are you using? If you download the rules manually do they look correct? Please open an issue in the corresponding repository, so we can continue the discussion there since this is not an officially supported integration.