Local rules not working? #12284

Lesterol · 2024-01-30T22:07:46Z

Lesterol
Jan 30, 2024

Hello everyone. I've been experimenting all day with adding local rules, but haven't gotten any positive results.
I'm using version 2.4.40. I added rules according to the documentation via Administration –> Configuration –> idstools –> rules –> Local Rules.
Even adding the simplest rules, such as

alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)
alert tcp any any -> any any (msg:"TCP Testing Rule"; sid:1000002; rev:1;)
alert udp any any -> any any (msg:"UDP Testing Rule"; sid:1000003; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"ICMP Test"; sid 1000004; rev:1;)

I still don’t see local alerts, but only default ones from all.rules. I even see events in Hunt and the traffic matches these local rules, but there is no alert. Can anyone help?
Standalone verison

Answered by reyesj2

Jan 31, 2024

Looks like your last rule is missing : after the sid
alert icmp any any -> $HOME_NET any (msg:"ICMP Test"; sid:1000004; rev:1;)

I went and added those rules to my idstools -> rules -> local rules

alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)
alert tcp any any -> any any (msg:"TCP Testing Rule"; sid:1000002; rev:1;)
alert udp any any -> any any (msg:"UDP Testing Rule"; sid:1000003; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"ICMP Test"; sid:1000004; rev:1;)

Then clicked the 'Synchronize grid' button at the top of SOC and I started to get alerts for the new rules (after about 15 minutes for the grid sync to complete)

View full answer

reyesj2 · 2024-01-31T20:49:06Z

reyesj2
Jan 31, 2024
Maintainer

Looks like your last rule is missing : after the sid
alert icmp any any -> $HOME_NET any (msg:"ICMP Test"; sid:1000004; rev:1;)

I went and added those rules to my idstools -> rules -> local rules

alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)
alert tcp any any -> any any (msg:"TCP Testing Rule"; sid:1000002; rev:1;)
alert udp any any -> any any (msg:"UDP Testing Rule"; sid:1000003; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"ICMP Test"; sid:1000004; rev:1;)

Then clicked the 'Synchronize grid' button at the top of SOC and I started to get alerts for the new rules (after about 15 minutes for the grid sync to complete)

0 replies

Lesterol · 2024-01-31T21:40:52Z

Lesterol
Jan 31, 2024
Author

Looks like your last rule is missing : after the sid alert icmp any any -> $HOME_NET any (msg:"ICMP Test"; sid:1000004; rev:1;)

I went and added those rules to my idstools -> rules -> local rules
alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)
alert tcp any any -> any any (msg:"TCP Testing Rule"; sid:1000002; rev:1;)
alert udp any any -> any any (msg:"UDP Testing Rule"; sid:1000003; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"ICMP Test"; sid:1000004; rev:1;)
Then clicked the 'Synchronize grid' button at the top of SOC and I started to get alerts for the new rules (after about 15 minutes for the grid sync to complete)

Looks like I wasn't paying attention. Indeed, after the fix everything worked. Although I am a little surprised that because of one rule the whole chain of rules does not work, as I understand it. But nevertheless, Onion works properly after the fix.
Thanks a lot!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Local rules not working? #12284

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Local rules not working? #12284

Uh oh!

Uh oh!

Lesterol Jan 30, 2024

Replies: 2 comments

Uh oh!

reyesj2 Jan 31, 2024 Maintainer

Uh oh!

Lesterol Jan 31, 2024 Author

Lesterol
Jan 30, 2024

reyesj2
Jan 31, 2024
Maintainer

Lesterol
Jan 31, 2024
Author