SO Detection Suricata Rule Mismatch - integrity check failed; discrepancies found

[Koen1999]

Version

2.4.70

Installation Method

Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc.

Description

upgrading

Installation Type

Eval

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

8

Storage for /

1TB

Storage for /nsm

1TB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Recently I upgraded to 2.4.70. I was running a recent release before that as well. I had local rules configured, as well as thresholds. So, after reading in the documentation was "Rule Mismatch" implies, I remove the local rules, as well as the thresholds, hoping I could configure them again via detections later.

Currently, no local rules are configured and no thresholds are set. I switched back to only using the ETOPEN ruleset, seeing also the ruleset import via url has been made readonly. Yet, I still get the rule mismatch in the detections tab. I checked the logs, and I can see that the integrity check has failed (integrity check failed; discrepancies found), saying that some rules are deployed but not enabled. I did not explicitly enable or disable any rules in the idstools configuration options. These options show as blank. I would try enabling these rules, but since the enabled configuration setting is made readonly, I suspect that is not the fix I should apply.

{"fields":{"deployedButNotEnabled":["2005216","2040859","cut off here, but a lot more rules."],"detectionEngine":"suricata","enabledButNotDeployed":[],"intCheckId":"3e1146d5-9540-4ee1-b233-5a59b849c7bc"},"level":"info","timestamp":"2024-05-31T13:44:18.475761792Z","message":"integrity check report"}

How can I remediate this issue?

PS. The issue may be related to or be similar to the issue in #13109

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[defensivedepth]

Custom rulesets via the URL option is not currently supported in Detections, which is why you are seeing a rule mismatch - Detections only knows about ETOPEN, so it sees the others and detects that something is not right.

Custom rulesets via the URL is on the roadmap - #13115

[Koen1999]

I have already removed all custom rules, being those present under local rules and those imported via URL. I rebooted the machine several times, yet rule sync is not possible. Moreover, the rules mentioned in the integrity check report as deployedButNotEnabled are ETOPEN rules.

I think the Detections module reached something like a deadlock due to an initial configuration it could not handle. Now that the configuration is set to something it should be able to handle, it's not able to recover as it appears to me.

Is there any way to fully reset the Detections module?

[defensivedepth]

@Koen1999 Do you have any custom configuration?

[Koen1999]

I configured some Suricata address groups and port ranges, and a couple that are unrelated to detections such as allowed IP ranges. All these configurations were changed through the Configurations tab in the Web UI.

[defensivedepth]

@Koen1999

Ok, so looking at the integrity check report:

{"fields":{"deployedButNotEnabled":["2005216","2040859","cut off here, but a lot more rules."],"detectionEngine":"suricata","enabledButNotDeployed":[],"intCheckId":"3e1146d5-9540-4ee1-b233-5a59b849c7bc"},"level":"info","timestamp":"2024-05-31T13:44:18.475761792Z","message":"integrity check report"}

Can you confirm that the rule with the SID of 2005216:

• Is Enabled in Detections interface
• Is not in the Grid Configuration --> idstools --> sids --> disabled list
• Is listed in /nsm/rules/suricata/emerging-all.rules without the # in front of it? (That would mean it is disabled)

[defensivedepth]

Also, after you have completed the above, please do the following:

Run sudo so-rule-update from the Manager. Post the final output here, should look like this:

2024-06-03 21:06:08,741 - <INFO> - Writing rules to /nsm/rules/suricata/emerging-all.rules: total: 49331; enabled: 37515; added: 0; removed 0; modified: 0
2024-06-03 21:06:09,498 - <INFO> - Done.
2024-06-03 21:06:10,228 - <INFO> - Loading ./rulecat.conf.
2024-06-03 21:06:10,282 - <INFO> - Fetching http://hostname:7788/suricata/emerging-all.rules.
 100% - 28174180/28174180             
2024-06-03 21:06:10,832 - <INFO> - Done.
2024-06-03 21:06:10,863 - <INFO> - Loading local file /opt/so/rules/nids/suri/local.rules
2024-06-03 21:06:16,712 - <INFO> - Loaded 49331 rules.
2024-06-03 21:07:23,805 - <INFO> - Disabled 16 rules.
2024-06-03 21:07:23,805 - <INFO> - Enabled 0 rules.
2024-06-03 21:07:23,805 - <INFO> - Modified 519 rules.
2024-06-03 21:07:23,806 - <INFO> - Dropped 0 rules.
2024-06-03 21:07:24,073 - <INFO> - Enabled 0 rules for flowbit dependencies.
2024-06-03 21:07:31,530 - <INFO> - Writing rules to /opt/so/rules/nids/suri/all.rules: total: 49331; enabled: 37499; added: 0; removed 0; modified: 0

[Koen1999]

@defensivedepth , thanks for the additional support.

• I cannot confirm the first as the Detections menu is entirely empty. No rules are shown there since no sync succeeded so far.
  
• The disabled list is empty, so the rule is not shown in there.
• I confirm the rule is present in /nsm/rules/suricata/emerging-all.rules without leading #.

The rule is clearly enabled. I can also confirm having received alerts associated with some of the rules mentioned in the integrity report.

Please find below the output of so-rule-update executed as root user:

[root@koen-security-onion-vm salt]# so-rule-update
2024-06-04 12:37:53,256 - <DEBUG> - This is idstools-rulecat version 0.6.5; Python: 3.9.7 (default, Aug 31 2021, 19:01:35) - [GCC 10.3.1 20210424]
2024-06-04 12:37:53,256 - <INFO> - Forcing Suricata version to 6.0.
2024-06-04 12:37:53,257 - <INFO> - Fetching https://rules.emergingthreats.net/open/suricata-6.0.0/emerging.rules.tar.gz.
 100% - 4289803/4289803
2024-06-04 12:37:55,379 - <INFO> - Done.
2024-06-04 12:37:55,528 - <INFO> - Ignoring file rules/emerging-deleted.rules
2024-06-04 12:37:55,529 - <DEBUG> - Parsing rules/3coresec.rules.
2024-06-04 12:37:55,530 - <DEBUG> - Parsing rules/botcc.portgrouped.rules.
2024-06-04 12:37:55,530 - <DEBUG> - Parsing rules/botcc.rules.
2024-06-04 12:37:55,531 - <DEBUG> - Parsing rules/ciarmy.rules.
2024-06-04 12:37:55,535 - <DEBUG> - Parsing rules/compromised.rules.
2024-06-04 12:37:55,536 - <DEBUG> - Parsing rules/drop.rules.
2024-06-04 12:37:55,538 - <DEBUG> - Parsing rules/dshield.rules.
2024-06-04 12:37:55,539 - <DEBUG> - Parsing rules/emerging-activex.rules.
2024-06-04 12:37:55,566 - <DEBUG> - Parsing rules/emerging-adware_pup.rules.
2024-06-04 12:37:55,627 - <DEBUG> - Parsing rules/emerging-attack_response.rules.
2024-06-04 12:37:55,676 - <DEBUG> - Parsing rules/emerging-chat.rules.
2024-06-04 12:37:55,679 - <DEBUG> - Parsing rules/emerging-coinminer.rules.
2024-06-04 12:37:55,681 - <DEBUG> - Parsing rules/emerging-current_events.rules.
2024-06-04 12:37:55,695 - <DEBUG> - Parsing rules/emerging-dns.rules.
2024-06-04 12:37:55,698 - <DEBUG> - Parsing rules/emerging-dos.rules.
2024-06-04 12:37:55,942 - <DEBUG> - Parsing rules/emerging-hunting.rules.
2024-06-04 12:37:56,012 - <DEBUG> - Parsing rules/emerging-icmp.rules.
2024-06-04 12:37:56,014 - <DEBUG> - Parsing rules/emerging-icmp_info.rules.
2024-06-04 12:37:56,305 - <DEBUG> - Parsing rules/emerging-ja3.rules.
2024-06-04 12:37:56,309 - <DEBUG> - Parsing rules/emerging-malware.rules.
2024-06-04 12:37:57,261 - <DEBUG> - Parsing rules/emerging-misc.rules.
2024-06-04 12:37:57,264 - <DEBUG> - Parsing rules/emerging-mobile_malware.rules.
2024-06-04 12:37:57,315 - <DEBUG> - Parsing rules/emerging-netbios.rules.
2024-06-04 12:37:57,357 - <DEBUG> - Parsing rules/emerging-p2p.rules.
2024-06-04 12:37:57,362 - <DEBUG> - Parsing rules/emerging-phishing.rules.
2024-06-04 12:37:57,527 - <DEBUG> - Parsing rules/emerging-policy.rules.
2024-06-04 12:37:57,572 - <DEBUG> - Parsing rules/emerging-pop3.rules.
2024-06-04 12:37:57,574 - <DEBUG> - Parsing rules/emerging-rpc.rules.
2024-06-04 12:37:57,580 - <DEBUG> - Parsing rules/emerging-scada.rules.
2024-06-04 12:37:57,585 - <DEBUG> - Parsing rules/emerging-scan.rules.
2024-06-04 12:37:57,598 - <DEBUG> - Parsing rules/emerging-shellcode.rules.
2024-06-04 12:37:57,605 - <DEBUG> - Parsing rules/emerging-smtp.rules.
2024-06-04 12:37:57,607 - <DEBUG> - Parsing rules/emerging-snmp.rules.
2024-06-04 12:37:57,609 - <DEBUG> - Parsing rules/emerging-sql.rules.
2024-06-04 12:37:57,623 - <DEBUG> - Parsing rules/emerging-telnet.rules.
2024-06-04 12:37:57,623 - <DEBUG> - Parsing rules/emerging-tftp.rules.
2024-06-04 12:37:57,625 - <DEBUG> - Parsing rules/emerging-user_agents.rules.
2024-06-04 12:37:57,637 - <DEBUG> - Parsing rules/emerging-voip.rules.
2024-06-04 12:37:57,638 - <DEBUG> - Parsing rules/emerging-web_client.rules.
2024-06-04 12:37:57,680 - <DEBUG> - Parsing rules/emerging-web_server.rules.
2024-06-04 12:37:57,811 - <DEBUG> - Parsing rules/emerging-web_specific_apps.rules.
2024-06-04 12:37:58,099 - <DEBUG> - Parsing rules/emerging-worm.rules.
2024-06-04 12:37:58,100 - <DEBUG> - Parsing rules/threatview_CS_c2.rules.
2024-06-04 12:37:58,101 - <DEBUG> - Parsing rules/tor.rules.
2024-06-04 12:37:58,243 - <INFO> - Loaded 49371 rules.
2024-06-04 12:37:58,253 - <INFO> - Disabled 0 rules.
2024-06-04 12:37:58,253 - <INFO> - Enabled 0 rules.
2024-06-04 12:37:58,253 - <INFO> - Modified 0 rules.
2024-06-04 12:37:58,253 - <INFO> - Dropped 0 rules.
2024-06-04 12:37:58,317 - <DEBUG> - Found 322 required flowbits.
2024-06-04 12:37:58,370 - <DEBUG> - Found 136 rules to enable to for flowbit requirements
2024-06-04 12:37:58,435 - <DEBUG> - Found 323 required flowbits.
2024-06-04 12:37:58,492 - <DEBUG> - Found 0 rules to enable to for flowbit requirements
2024-06-04 12:37:58,492 - <DEBUG> - All required rules enabled.
2024-06-04 12:37:58,492 - <INFO> - Enabled 136 rules for flowbit dependencies.
2024-06-04 12:37:58,493 - <DEBUG> - Recording file /nsm/rules/suricata/3coresec.rules with hash '986efadd56deac321730d1c67ecd9de8'.
2024-06-04 12:37:58,493 - <DEBUG> - Recording file /nsm/rules/suricata/BSD-License.txt with hash '8328ca9169c49745ab723da8bd612243'.
2024-06-04 12:37:58,494 - <DEBUG> - Recording file /nsm/rules/suricata/LICENSE with hash 'ed7a97b04a5e5d7265206fc245fe74ae'.
2024-06-04 12:37:58,494 - <DEBUG> - Recording file /nsm/rules/suricata/botcc.portgrouped.rules with hash '1c81eda95af6c8b68c46dde18b87920b'.
2024-06-04 12:37:58,494 - <DEBUG> - Recording file /nsm/rules/suricata/botcc.rules with hash 'ecf2fd8642b919f6a6ce5c6378432724'.
2024-06-04 12:37:58,495 - <DEBUG> - Recording file /nsm/rules/suricata/ciarmy.rules with hash '6a566b7b76c24a2202e045a9558c24f6'.
2024-06-04 12:37:58,495 - <DEBUG> - Recording file /nsm/rules/suricata/classification.config with hash '97383e1aed3414abd362f582a00ab21e'.
2024-06-04 12:37:58,496 - <DEBUG> - Recording file /nsm/rules/suricata/compromised-ips.txt with hash '8027f62a8de793913fd27224325a3aec'.
2024-06-04 12:37:58,496 - <DEBUG> - Recording file /nsm/rules/suricata/compromised.rules with hash 'd808a34969ce694284e7a5d9d3694746'.
2024-06-04 12:37:58,497 - <DEBUG> - Recording file /nsm/rules/suricata/drop.rules with hash 'af521c2f8c4e672a94080677392746b9'.
2024-06-04 12:37:58,497 - <DEBUG> - Recording file /nsm/rules/suricata/dshield.rules with hash 'a54515268de34c6719f97a6daafb721c'.
2024-06-04 12:37:58,498 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-activex.rules with hash '8daf40473ab7ada3b3d4f6ed951f084d'.
2024-06-04 12:37:58,499 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-adware_pup.rules with hash '64c4ca2b9b1c8fde70563e35dfefd745'.
2024-06-04 12:37:58,501 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-attack_response.rules with hash 'd933f276726494b7102cdd5b47266cca'.
2024-06-04 12:37:58,502 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-chat.rules with hash 'af58a6f415f10460447725cda0e82fa2'.
2024-06-04 12:37:58,502 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-coinminer.rules with hash '540ae8259a38875cf831bedf09d8cee0'.
2024-06-04 12:37:58,503 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-current_events.rules with hash '0d5edc5adff849740a0093d0f8ec48d3'.
2024-06-04 12:37:58,503 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-dns.rules with hash '0caab42192815f27e3d60a389026e550'.
2024-06-04 12:37:58,504 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-dos.rules with hash '6ee654d22098a83cacb0c6ebe0e85316'.
2024-06-04 12:37:58,507 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-exploit.rules with hash '6d0d4c7a7ea5146ca09230036cb7555d'.
2024-06-04 12:37:58,510 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-exploit_kit.rules with hash '9b395cd09a1d2e1123e4d19e01734d16'.
2024-06-04 12:37:58,513 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-hunting.rules with hash '5570256bfdb64f1cdbad514aa385f273'.
2024-06-04 12:37:58,513 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-icmp.rules with hash '999a485a7920277102079ab6b04739d9'.
2024-06-04 12:37:58,513 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-icmp_info.rules with hash 'cb9fb402055874d43964b9a492699593'.
2024-06-04 12:37:58,514 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-imap.rules with hash '3eae7905d06919617f97626a0f9add38'.
2024-06-04 12:37:58,515 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-inappropriate.rules with hash 'ec49e4bc0ed2864443a8414982dce1cf'.
2024-06-04 12:37:58,538 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-misc.rules with hash 'c86458e1d407101641ef29ff6176306b'.
2024-06-04 12:37:58,540 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-mobile_malware.rules with hash 'c649a6afb383ef7b47a82ed130deb26b'.
2024-06-04 12:37:58,540 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-netbios.rules with hash '29c10a6b92345537cc6e9a97fe808ed2'.
2024-06-04 12:37:58,541 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-p2p.rules with hash 'b51d220fbae2af8c5f2aa03172d80c61'.
2024-06-04 12:37:58,544 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-phishing.rules with hash '01ef17c781ad54d0f11675dca64b426f'.
2024-06-04 12:37:58,545 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-policy.rules with hash '7d9a76c43fe83fd3fe55668732d06e07'.
2024-06-04 12:37:58,545 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-pop3.rules with hash '9623365791022f5ba1cdf7571fbbd765'.
2024-06-04 12:37:58,546 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-rpc.rules with hash 'cfa176e56879409a005a6436f90c14e2'.
2024-06-04 12:37:58,546 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-scada.rules with hash '9ef4dbae04f272d32ad137fd0646ce18'.
2024-06-04 12:37:58,546 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-scan.rules with hash '23e0f8b30eb645f2f468eb665b51dd15'.
2024-06-04 12:37:58,546 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-shellcode.rules with hash '120af952756e52ebb0c11fd4b4844d6a'.
2024-06-04 12:37:58,547 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-smtp.rules with hash 'f4bc6ac67637ca66fb28342f162a4e7c'.
2024-06-04 12:37:58,547 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-snmp.rules with hash '5fab17aa0ed609b29362f16df3271483'.
2024-06-04 12:37:58,547 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-sql.rules with hash '21a16d949bd9a9a2e767bf0cbf7539b0'.
2024-06-04 12:37:58,547 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-telnet.rules with hash '0d5f0d71ae7d9abddf95c099e3e96edd'.
2024-06-04 12:37:58,547 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-tftp.rules with hash 'de67350c294ab2ff51ca86509bc12ba0'.
2024-06-04 12:37:58,548 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-user_agents.rules with hash '881076f539ff730ae254a8967abca136'.
2024-06-04 12:37:58,548 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-voip.rules with hash '42804fb2ce222c78c7dac46bedf21c3a'.
2024-06-04 12:37:58,549 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-web_client.rules with hash 'edf8ef20bf96e2105de0cfcb50144eee'.
2024-06-04 12:37:58,549 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-web_server.rules with hash '7161deb735d64c84a5d93fe0935d6574'.
2024-06-04 12:37:58,556 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-web_specific_apps.rules with hash '8fb082fe45e32b13a3e768b7b2aa9585'.
2024-06-04 12:37:58,556 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-worm.rules with hash '8913e325dec48f56ff0d0e210a87aa99'.
2024-06-04 12:37:58,556 - <DEBUG> - Recording file /nsm/rules/suricata/gpl-2.0.txt with hash 'b234ee4d69f5fce4486a80fdaf4a4263'.
2024-06-04 12:37:58,567 - <DEBUG> - Recording file /nsm/rules/suricata/sid-msg.map with hash '128fb9c76f1e2879cbf614fd23f75610'.
2024-06-04 12:37:58,567 - <DEBUG> - Recording file /nsm/rules/suricata/suricata-5.0-enhanced-open.txt with hash 'd41d8cd98f00b204e9800998ecf8427e'.
2024-06-04 12:37:58,567 - <DEBUG> - Recording file /nsm/rules/suricata/threatview_CS_c2.rules with hash 'ac8f6527dec6fa6e9b7f42bf99ebe4fb'.
2024-06-04 12:37:58,568 - <DEBUG> - Recording file /nsm/rules/suricata/tor.rules with hash 'b520e3e86a90056a4fa87c024d02a234'.
2024-06-04 12:38:01,940 - <INFO> - Writing rule files to directory /nsm/rules/suricata/: total: 49371; enabled: 37555; added: 0; removed 0; modified: 0
2024-06-04 12:38:01,940 - <DEBUG> - Writing /nsm/rules/suricata/3coresec.rules.
2024-06-04 12:38:01,976 - <DEBUG> - Writing /nsm/rules/suricata/BSD-License.txt.
2024-06-04 12:38:01,976 - <DEBUG> - Writing /nsm/rules/suricata/LICENSE.
2024-06-04 12:38:01,976 - <DEBUG> - Writing /nsm/rules/suricata/botcc.portgrouped.rules.
2024-06-04 12:38:02,014 - <DEBUG> - Writing /nsm/rules/suricata/botcc.rules.
2024-06-04 12:38:02,053 - <DEBUG> - Writing /nsm/rules/suricata/ciarmy.rules.
2024-06-04 12:38:02,433 - <DEBUG> - Writing /nsm/rules/suricata/classification.config.
2024-06-04 12:38:02,433 - <DEBUG> - Writing /nsm/rules/suricata/compromised-ips.txt.
2024-06-04 12:38:02,433 - <DEBUG> - Writing /nsm/rules/suricata/compromised.rules.
2024-06-04 12:38:02,449 - <DEBUG> - Writing /nsm/rules/suricata/drop.rules.
2024-06-04 12:38:02,521 - <DEBUG> - Writing /nsm/rules/suricata/dshield.rules.
2024-06-04 12:38:02,522 - <DEBUG> - Writing /nsm/rules/suricata/emerging-activex.rules.
2024-06-04 12:38:02,661 - <DEBUG> - Writing /nsm/rules/suricata/emerging-adware_pup.rules.
2024-06-04 12:38:02,714 - <DEBUG> - Writing /nsm/rules/suricata/emerging-attack_response.rules.
2024-06-04 12:38:02,928 - <DEBUG> - Writing /nsm/rules/suricata/emerging-chat.rules.
2024-06-04 12:38:02,936 - <DEBUG> - Writing /nsm/rules/suricata/emerging-coinminer.rules.
2024-06-04 12:38:02,939 - <DEBUG> - Writing /nsm/rules/suricata/emerging-current_events.rules.
2024-06-04 12:38:02,965 - <DEBUG> - Writing /nsm/rules/suricata/emerging-dns.rules.
2024-06-04 12:38:03,064 - <DEBUG> - Writing /nsm/rules/suricata/emerging-exploit_kit.rules.
2024-06-04 12:38:03,147 - <DEBUG> - Writing /nsm/rules/suricata/emerging-ftp.rules.
2024-06-04 12:38:03,152 - <DEBUG> - Writing /nsm/rules/suricata/emerging-games.rules.
2024-06-04 12:38:03,156 - <DEBUG> - Writing /nsm/rules/suricata/emerging-hunting.rules.
2024-06-04 12:38:03,207 - <DEBUG> - Writing /nsm/rules/suricata/emerging-icmp.rules.
2024-06-04 12:38:03,252 - <DEBUG> - Writing /nsm/rules/suricata/emerging-icmp_info.rules.
2024-06-04 12:38:03,307 - <DEBUG> - Writing /nsm/rules/suricata/emerging-info.rules.
2024-06-04 12:38:04,064 - <DEBUG> - Writing /nsm/rules/suricata/emerging-ja3.rules.
2024-06-04 12:38:04,911 - <DEBUG> - Writing /nsm/rules/suricata/emerging-p2p.rules.
2024-06-04 12:38:04,916 - <DEBUG> - Writing /nsm/rules/suricata/emerging-phishing.rules.
2024-06-04 12:38:05,070 - <DEBUG> - Writing /nsm/rules/suricata/emerging-policy.rules.
2024-06-04 12:38:05,113 - <DEBUG> - Writing /nsm/rules/suricata/emerging-pop3.rules.
2024-06-04 12:38:05,115 - <DEBUG> - Writing /nsm/rules/suricata/emerging-rpc.rules.
2024-06-04 12:38:05,121 - <DEBUG> - Writing /nsm/rules/suricata/emerging-scada.rules.
2024-06-04 12:38:05,126 - <DEBUG> - Writing /nsm/rules/suricata/emerging-scan.rules.
2024-06-04 12:38:05,139 - <DEBUG> - Writing /nsm/rules/suricata/emerging-shellcode.rules.
2024-06-04 12:38:05,145 - <DEBUG> - Writing /nsm/rules/suricata/emerging-smtp.rules.
2024-06-04 12:38:05,147 - <DEBUG> - Writing /nsm/rules/suricata/emerging-snmp.rules.
2024-06-04 12:38:05,149 - <DEBUG> - Writing /nsm/rules/suricata/emerging-sql.rules.
2024-06-04 12:38:05,161 - <DEBUG> - Writing /nsm/rules/suricata/emerging-telnet.rules.
2024-06-04 12:38:05,162 - <DEBUG> - Writing /nsm/rules/suricata/emerging-tftp.rules.
2024-06-04 12:38:05,163 - <DEBUG> - Writing /nsm/rules/suricata/emerging-user_agents.rules.
2024-06-04 12:38:05,176 - <DEBUG> - Writing /nsm/rules/suricata/emerging-voip.rules.
2024-06-04 12:38:05,177 - <DEBUG> - Writing /nsm/rules/suricata/emerging-web_client.rules.
2024-06-04 12:38:05,214 - <DEBUG> - Writing /nsm/rules/suricata/emerging-web_server.rules.
2024-06-04 12:38:05,248 - <DEBUG> - Writing /nsm/rules/suricata/emerging-web_specific_apps.rules.
2024-06-04 12:38:05,509 - <DEBUG> - Writing /nsm/rules/suricata/emerging-worm.rules.
2024-06-04 12:38:05,511 - <DEBUG> - Writing /nsm/rules/suricata/gpl-2.0.txt.
2024-06-04 12:38:05,512 - <DEBUG> - Writing /nsm/rules/suricata/sid-msg.map.
2024-06-04 12:38:05,695 - <DEBUG> - Writing /nsm/rules/suricata/suricata-5.0-enhanced-open.txt.
2024-06-04 12:38:05,695 - <DEBUG> - Writing /nsm/rules/suricata/threatview_CS_c2.rules.
2024-06-04 12:38:05,697 - <DEBUG> - Writing /nsm/rules/suricata/tor.rules.
2024-06-04 12:38:05,950 - <DEBUG> - Recording file /nsm/rules/suricata/emerging-all.rules with hash '3510c2c7e508bab5878df8b44f1acdb9'.
2024-06-04 12:38:09,182 - <INFO> - Writing rules to /nsm/rules/suricata/emerging-all.rules: total: 49371; enabled: 37555; added: 0; removed 0; modified: 0
2024-06-04 12:38:10,697 - <INFO> - Done.
2024-06-04 12:38:11,120 - <INFO> - Loading ./rulecat.conf.
2024-06-04 12:38:11,122 - <INFO> - Fetching http://koen-security-onion-vm:7788/suricata/emerging-all.rules.
 100% - 28199849/28199849                                                                                                                                   2024-06-04 12:38:11,488 - <INFO> - Done.
2024-06-04 12:38:11,496 - <INFO> - Loading local file /opt/so/rules/nids/suri/local.rules
2024-06-04 12:38:14,013 - <INFO> - Loaded 49371 rules.
2024-06-04 12:38:14,024 - <INFO> - Disabled 0 rules.
2024-06-04 12:38:14,024 - <INFO> - Enabled 0 rules.
2024-06-04 12:38:14,024 - <INFO> - Modified 0 rules.
2024-06-04 12:38:14,024 - <INFO> - Dropped 0 rules.
2024-06-04 12:38:14,141 - <INFO> - Enabled 0 rules for flowbit dependencies.
2024-06-04 12:38:17,608 - <INFO> - Writing rules to /opt/so/rules/nids/suri/all.rules: total: 49371; enabled: 37555; added: 0; removed 0; modified: 0
2024-06-04 12:38:18,097 - <INFO> - Done.

[defensivedepth]

@Koen1999 Ok, let's try a different angle.

tail -f /opt/so/log/soc/sensoroni-server.log | grep -i elastalert

And then click a Full Update for Elastalert and post the logs that you see.

Also, what OS are you running?

[defensivedepth]

Ok, so I didnt realize that the Suricata rules didnt import at all. So let's hone in on that import process:

tail -f /opt/so/log/soc/sensoroni-server.log | grep -i suricata

Then do a Full Sync and post the output.

[defensivedepth]

As part of that, also grep the logs for:

grep -i template /opt/so/log/soc/sensoroni-server.log

[Koen1999]

I did not truncate the log file this time, due to it's length, I attached it as a file.
I don't see any logs that could point towards the culprit. Perhaps you can notice the absence of certain logs that may indicate an issue?
log.txt

[Koen1999]

@defensivedepth , I just followed this step linked in the other issue (#13124 (reply in thread)) and found that it helped resolve a failure when calling salt-call state.highstate. I had rollover configured to 1 day, which apparently caused issued for the detections module. After following the steps mentioned there, the issue can be considered resolved for me.

[defensivedepth]

Great to hear!

[Koen1999]

@defensivedepth , do you know how adding local rules should function? After the initial import had succeeded, I added local rules using the + button in the detections menu. With those rules disabled, everything works fine, but once I enable them, I get the rule mismatch, saying that some rules are deployed but not enabled. If I check which rules are enabled under idstools in the configuration menu, I can see that the detections module has added my local rules to the (first empty) list.

[Koen1999]

I tried calling salt state.highstate, and then did a full sync using the detections interface. It did not resolve the issue.

[defensivedepth]

Can you confirm that the new rules are in /opt/so/rules/nids/suri/all.rules ?

[Koen1999]

Yes, I just checked and can confirm that the local rules added through the detections menu are present in /opt/so/rules/nids/suri/all.rules without any leading #.

[defensivedepth]

@Koen1999 On Friday we internally confirmed there is a bug with the Suricata integrity check when adding custom rules and enabling them. We are working on a fix. Functionally it is working as expected (the custom rules are being deployed), but the integrity check is not seeing those rules.

[Koen1999]

@defensivedepth , thanks for the update. I will patiently await the bug fix.