Problem with SIDs disabling and suppressing

[UMWP]

Version

2.4.10

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

28

RAM

200

Storage for /

1TB

Storage for /nsm

3TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Disabling and suppressing in web UI doesn't work.
From CLI it also reports these errors:
[soc@mgt nids]$ sudo so-rule disabled add 're:STUN'
(This should not happen, the system is in an error state if you see this message.)

More than one manager-type pillar exists, minion id's listed below:
"/opt/so/saltstack/local/pillar/minions/mgt_manager.sls", "/opt/so/saltstack/local/pillar/minions/adv_mgt_manager.sls"

[soc@mgt nids]$ sudo so-rule disabled list
(This should not happen, the system is in an error state if you see this message.)

More than one manager-type pillar exists, minion id's listed below:
"/opt/so/saltstack/local/pillar/minions/mgt_manager.sls", "/opt/so/saltstack/local/pillar/minions/adv_mgt_manager.sls"

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[jwmasekre]

Did you use 're:STUN' in the administration->idstools->sids->disabled field? I was able to confirm that single quotes does not work (like the documentation shows), but I could successfully disable rules using no quotes (ie: re:STUN).

[dougburks]

I've updated the documentation:
https://docs.securityonion.net/en/2.4/managing-alerts.html#disable-the-sid

[UMWP]

It seems like disabling via web interface without single quotes works, but I still get that error message:
[soc@mgt nids]$ sudo so-rule disabled list
(This should not happen, the system is in an error state if you see this message.)

More than one manager-type pillar exists, minion id's listed below:
"/opt/so/saltstack/local/pillar/minions/mgt_manager.sls", "/opt/so/saltstack/local/pillar/minions/adv_mgt_manager.sls"

However if I try
[soc@mgt nids]$ grep "STUN" all.rules
it shows lines begining with #, which means they are disabled, right?

Unfortunatelly suppressing still doesn't work.

[dougburks]

[soc@mgt nids]$ sudo so-rule disabled list

You shouldn't need to use so-rule anymore. You should only need to use the web interface now.

it shows lines begining with #, which means they are disabled, right?

Yes.

Unfortunatelly suppressing still doesn't work.

If you can provide more information about what you're trying to suppress and how you're trying to suppress it, then perhaps we can assist you further.

[UMWP]

Analyst Quick Links->SIDS - Thresholding
And in "Threshold SIDS List" we have (for example):

thresholding: # Reduced alerts
sids:
2000418: #ET POLICY Executable and linking format (ELF) file download
- suppress:
gen_id: 1
track: by_dst
ip: 192.168.1.222
2013030: #ET POLICY libwww-perl User-Agent
- suppress:
gen_id: 1

It doesn't work because suppressed events still show in alerts queue.

[dougburks]

The 2.4 SOC Config page is different from the old 2.3 config, so you shouldn't need the thresholding: or sids: lines at the top.

I tested this simple example and it seems to work for me:

2013030: #ET POLICY libwww-perl User-Agent
  - suppress:
      gen_id: 1

Please try that and see if it works for you. As a reminder, please be careful with the spaces. It should look like this:

[UMWP]

It works like a charm!
Thank You very much Mr. Burks - not only for this solution, but first of all for creating such a great and very useful toolset as Security Onion. It's integration with Elastic Agent was a very good and long awaited move.

Congratulations and best regards
UMWP Team