so-rule-update dies with "Traceback"

[ejgh-oe]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

32

Storage for /

500

Storage for /nsm

500

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,

Tried several times updating the suricata-rules using "so-rule-update". Always fails with

2024-01-24 17:05:22,860 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-all.rules with hash 'a785159a8fd5af6eecec979b4757eb3a'.
2024-01-24 17:05:25,359 - <INFO> - Writing rules to /nsm/rules/suricata/emerging-all.rules: total: 46634; enabled: 36054; added: 0; removed 0; modified: 0
2024-01-24 17:05:25,586 - <INFO> - Done.
2024-01-24 17:05:25,810 - <INFO> - Loading ./rulecat.conf.
Traceback (most recent call last):
  File "/usr/local/bin/idstools-rulecat", line 12, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/site-packages/idstools/scripts/rulecat.py", line 841, in main
    modify_filters += load_filters(args.modify)
  File "/usr/local/lib/python3.9/site-packages/idstools/scripts/rulecat.py", line 375, in load_filters
    filter = ModifyRuleFilter.parse(line)
  File "/usr/local/lib/python3.9/site-packages/idstools/scripts/rulecat.py", line 218, in parse
    raise Exception("Bad number of arguments.")
Exception: Bad number of arguments.

Any ideas as to what could be wrong here, and how to cure the problem?

Thanks much in advance for your help.

PS: I'm attaching the full output of the "so-rules-update"-script
so-rule-update-log.txt

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

What is in your idstools.sids.modify in SOC -> Administration -> Configuration?

[ejgh-oe]

Hi,
idstools.sids.modify is empty in my config, but you pointed me into the right direction: Under suricata.thresholding.sids I had some suppress-rules for false positives.
As it turned out some of the clauses didn't have the correct indent (yaml-syntax), despite the GUI accepting the settings (and thus the wrong indenting) in the first playe. As soon as I corrected the indent of the thresholding settings I was able to run "so-rule-update" without any problems :-)
Thanks for the hint - definetely solved my problem.

[reyesj2]

Can you share what you had in your thresholding ? We might be able to incorporate it into the regex to help prevent others from having the same issue as you in the future.

[ejgh-oe]

Sure - my problem was that I had

  2034704:
    - suppress:
        gen_id: 1
        track: by_dst
        ip: 192.168.0.90

in the threshold settings (leading blanks) instead of

2034704:
  - suppress:
      gen_id: 1
      track: by_dst
      ip: 143.245.0.90

The correct way would have been starting in column 1, whereas I had it indented by several spaces.

Only found out that this might be the cause of the problem because that was the only thing I modified as far as suricata is concerned.

Maybe for a future release the GUI could check for proper indentation? (In previous releases theses settings were in "global.sls" and one immediately found out about uncorrect indentation when trying to run so-idstools-restart ;-) ) - just an idea.