Detections tab Failing

[izidood]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

100GB

Storage for /nsm

500GB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

My problem is that in the Detections tab i have the following:
ElastAlert: Sync Failed
Strelka: Rule Mismatch
Suricata: Rule Mismatch

The problem accured when i updated from 2.4.60 -> 2.4.70 with soup.
I ran soup twice in hope of it fixing it :P so it doesnt state the errors in there anymore which is annoying.
Really need this to work, as i cant tune or anything anymore, as the grid configuration directs me to the Detections tab which is not working for me sadly.

iv'e tried Differential Update, and Full Update, on each engine, nothing worked.
When i press on the Orange text of each respective error i get directed to the hunt interface.

Suricata:

i go to the ones which says error at log.level and these messages shows 6 times, but dupes. so these messages is the ones.
{"fields":{"engineName":"suricata","error":"integrity check failed; discrepancies found"},"level":"error","timestamp":"2024-06-03T07:24:02.787476465Z","message":"integrity check repeat failure, alerting user"}
{"fields":{"engineName":"suricata","error":"integrity check failed; discrepancies found"},"level":"error","timestamp":"2024-06-03T07:14:01.690675486Z","message":"integrity check first failure, running force sync"}

Strelka:

i go to the ones which says error at log.level again and these messages shows 12 times, but dupes. so these messages is the ones.
{"fields":{"detectionEngine":"strelka","error":"failed to read compilation report: open /opt/so/state/detections_yara_compilation-total.log: no such file or directory","intCheckId":"8868c2c9-8853-4a23-979c-bbc23c3d933a"},"level":"error","timestamp":"2024-06-03T07:37:22.570976004Z","message":"unable to get compilation report"}
{"fields":{"engineName":"strelka","error":"integrity check failed; discrepancies found"},"level":"error","timestamp":"2024-06-03T07:37:22.571039893Z","message":"integrity check repeat failure, alerting user"}

I would have uploaded some logs from /opt/so/log/suricata but for some reason its completely empty.
And iv'e checked the documentation about the rule mismatch which says:
Rule Mismatch: An integrity check process detected a mismatch between the deployed rules and the enabled rules. The SOC log will note the specific mismatched rules. One way that this can happen is if you had previously added custom rules to /opt/so/saltstack/local/salt/idstools/rules/local.rules. If this is the case, you can remove the rules from that file and then re-add them using the Detections interface.

But i have nothing in the file which is described in the documentation.
Im not sure what else needs to be log wise.

I hope someone is able to help me based on the information iv'e provided.
i upload a file filtered from (integrity check report)
[{fields{deployedButNotEnabled20134.txt

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[Koen1999]

Can you run this query and check the contents of the message field for more details?

tags:so-soc AND suricata AND event.action:"integrity check report" | groupby log.level | groupby event.action | groupby soc.fields.error

This looks a lot like the issue I also aimed at describing in #13112

[izidood]

Thats a lot of text, ill have to upload a txt with that.
[{fields{deployedButNotEnabled20134.txt

[Koen1999]

It looks like the same issue to me. ETOPEN rules are recognized by the detection module as deployedButNotEnabled.

[izidood]

yea, i have no idea what else to do tbh, and it seems theres not a lot of people with the issue yet.
I hope someone has a solution to this, im kinda stuck at this point.

[Koen1999]

If I find a solution, I will for sure let you know.

[defensivedepth]

@GitGoodGod Do you have any kind of custom configurations or changes in place?

[izidood]

No custom suricata rules, did have back in 2.3, but made a complete wipe and started fresh with 2.4.

[defensivedepth]

Please run sudo so-rule-update from the Manager. Post the final output here, should look like this:

2024-06-03 21:06:08,741 - <INFO> - Writing rules to /nsm/rules/suricata/emerging-all.rules: total: 49331; enabled: 37515; added: 0; removed 0; modified: 0
2024-06-03 21:06:09,498 - <INFO> - Done.
2024-06-03 21:06:10,228 - <INFO> - Loading ./rulecat.conf.
2024-06-03 21:06:10,282 - <INFO> - Fetching http://hostname:7788/suricata/emerging-all.rules.
 100% - 28174180/28174180             
2024-06-03 21:06:10,832 - <INFO> - Done.
2024-06-03 21:06:10,863 - <INFO> - Loading local file /opt/so/rules/nids/suri/local.rules
2024-06-03 21:06:16,712 - <INFO> - Loaded 49331 rules.
2024-06-03 21:07:23,805 - <INFO> - Disabled 16 rules.
2024-06-03 21:07:23,805 - <INFO> - Enabled 0 rules.
2024-06-03 21:07:23,805 - <INFO> - Modified 519 rules.
2024-06-03 21:07:23,806 - <INFO> - Dropped 0 rules.
2024-06-03 21:07:24,073 - <INFO> - Enabled 0 rules for flowbit dependencies.
2024-06-03 21:07:31,530 - <INFO> - Writing rules to /opt/so/rules/nids/suri/all.rules: total: 49331; enabled: 37499; added: 0; removed 0; modified: 0

[izidood]

Looks like this:

2024-06-04 05:19:39,685 - <INFO> - Done.
2024-06-04 05:19:39,964 - <INFO> - Loading ./rulecat.conf.
2024-06-04 05:19:39,966 - <INFO> - Fetching http://so-manager-v01:7788/suricata/emerging-all.rules.
 100% - 28199849/28199849
2024-06-04 05:19:40,092 - <INFO> - Done.
2024-06-04 05:19:40,098 - <INFO> - Loading local file /opt/so/rules/nids/suri/local.rules
2024-06-04 05:19:42,339 - <INFO> - Loaded 49371 rules.
2024-06-04 05:19:44,834 - <INFO> - Disabled 60 rules.
2024-06-04 05:19:44,834 - <INFO> - Enabled 0 rules.
2024-06-04 05:19:44,834 - <INFO> - Modified 0 rules.
2024-06-04 05:19:44,834 - <INFO> - Dropped 0 rules.
2024-06-04 05:19:44,930 - <INFO> - Enabled 0 rules for flowbit dependencies.
2024-06-04 05:19:47,653 - <INFO> - Writing rules to /opt/so/rules/nids/suri/all.rules: total: 49371; enabled: 37495; added: 42; removed 2; modified: 1084
2024-06-04 05:19:47,936 - <INFO> - Done.```

[defensivedepth]

Still trying to replicate this internally.

Can you post a sanitized copy of this?

Address-groups variables for all our networks (custom configuration in YAML) lands in suricata.yaml

Enable Show all configurable settings, including advanced settings.

    -> suricata

        -> advanced
```

[izidood]

so the file is very long and would take forever to sanitize it, so i just cut it short.

suricata:
  config:
    vars:
      address-groups:
        Word_Word_Word_Word_Word: 
          - xx.x.x.x/x
       Word_Word_Word_Word: 
          - x.x.x.x/x
        Word_Word_Word_Word_Word_Word_Word_Word: 
          - xx.x.x.x/xx
        Word_Word_Word_Word_Word_Word: 
          - x.x.x.x/xx

This has never been an issue btw.
Also i tried to remove it, force sync but still got the errors.

[defensivedepth]

Ok, let's try a different approach:

tail -f /opt/so/log/soc/sensoroni-server.log | grep -i elastalert

And then click a Full Update for Elastalert and post the logs that you see.

[defensivedepth]

I dont see a salt error?

[izidood]

The ID: so-elasticsearch-templates, is failed.
i just only posted the part that gave the "failed" from the salt call.

[defensivedepth]

So that is the root issue. The elasticsearch templates are not being updated, which means, the new Detections template is not being loaded, which means Detections cant be imported.

Please post more context around the error. It should show you under changes what the error was.

[izidood]

i can give the whole salt-call process ? not sure what else to give. this issue only occured of an Soup from 2.4.60 -> 2.4.70.

[izidood]

so what i see, this is the error i guess:
{"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:547] [index_template] unknown field [phases]"}],"type":"x_content_parse_exception","reason":"[1:547] [index_template] unknown field [phases]"},"status":400}

so something is up with the "phases" somewhere ?

this is the so-case-template.json file

{
 "composed_of": [
  "case-mappings",
  "case-settings"
 ],
 "index_patterns": [
  "so-case*"
 ],
 "priority": 500,
 "template": {
  "mappings": {
   "date_detection": false,
   "dynamic_templates": [
    {
     "strings_as_keyword": {
      "mapping": {
       "ignore_above": 1024,
       "type": "keyword"
      },
      "match_mapping_type": "string"
     }
    }
   ]
  },
  "settings": {
   "index": {
    "mapping": {
     "total_fields": {
      "limit": 1500
     }
    },
    "number_of_replicas": 0,
    "number_of_shards": 1,
    "refresh_interval": "30s"
   }
  }
 },
 "phases": {
  "delete": {
   "min_age": 90
  }
 }
}

is it fine ?

[m0duspwnens]

Can you post the contents of /opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls?

[izidood]

Everything goes through fine it seems like, i do not get errors: but this might be the problem:
{"fields":{"deployedButNotEnabled":[],"detectionEngine":"suricata","enabledButNotDeployed":[],"intCheckId":"7c7e30ef-1ddd-465e-b101-055f1f58575d"},"level":"info","timestamp":"2024-06-19T06:27:20.284938045Z","message":"integrity check report"}

can this be and integrity check report bug or something, i cant really find any reasons why it would fail otherwise. because the checks goes through as "integrity check passed"

[defensivedepth]

I dont see any issue with that integrity check report - it is not reporting any errors.

So are you all green at this point?

[izidood]

No, I'm only Green in ElastAlert and Strelka. Suricata says Migration Failed. and I can't seem to find the issue, I've tried to look into different discussions on here as well, and I have absolutely no clue why it says it. as you say, it should be showing Green, as it gives no errors what so ever.

[izidood]

v.2.4.80 soup fixed the suricata migration failed problem it seems like. :D

[ips972]

Hi Everyone, I'm running a distributed Cluster version 2.4.100 - upgraded and updates.
1 - manager
1 - reciever
7 - elastic nodes.
1 - sensor - monitoring the north/south connection to the datacenter (10Gbps)

I'm getting a rule missmatch for suricata - and for the love of god can't find the logs that point me to the cause.
these are the logs from : tail -f /opt/so/log/soc/sensoroni-server.log | grep -i suricata

ElastAlert: OK
Strelka: OK
Suricata: Rule Mismatch

024-09-23T06:56:40.043586923Z","message":"Handled request"}
{"fields":{"detectionEngine":"suricata","forceSync":false,"syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"info","timestamp":"2024-09-23T06:56:40.043759221Z","message":"starting sync"}
{"fields":{"detectionEngine":"suricata","syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d","targetFile":"/opt/sensoroni/ai_summary_repos/securityonion-resources/detections-ai/suricata_summaries.yaml"},"level":"info","timestamp":"2024-09-23T06:56:40.4911313Z","message":"reading AI summaries"}
{"fields":{"detectionEngine":"suricata","syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"info","timestamp":"2024-09-23T06:56:54.942719128Z","message":"successfully unmarshalled AI summaries, parsing..."}
{"fields":{"aiSummaryCount":54330,"detectionEngine":"suricata","syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"info","timestamp":"2024-09-23T06:56:54.948251939Z","message":"successfully parsed AI summaries"}
{"fields":{"aiSummaryCount":54330,"detectionEngine":"suricata"},"level":"info","timestamp":"2024-09-23T06:56:54.978797045Z","message":"loaded AI summaries"}
{"fields":{"detectionEngine":"suricata","syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"info","timestamp":"2024-09-23T06:56:54.983958298Z","message":"successfully loaded AI summaries"}
{"fields":{"detectionEngine":"suricata","syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"info","timestamp":"2024-09-23T06:56:54.98403932Z","message":"successfully refreshed AI summaries"}
{"fields":{"detectionEngine":"suricata","syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"info","timestamp":"2024-09-23T06:56:55.081403269Z","message":"community rule sync found no changes"}
{"fields":{"requestId":null,"scrollQuery":"{"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"","query":"_index: \":so-detection\" AND so_kind: \"detection\" AND so_detection.engine: \"suricata\" AND so_detection.isEnabled: \"true\""}}],"must_not":[],"should":[]}},"size":10000}"},"level":"info","timestamp":"2024-09-23T06:56:56.792058906Z","message":"scrolling Elasticsearch"}
{"fields":{"deployedButNotEnabled":["4536871","4282541","4943361","6510551","4262021","4578181","4521181","6808582","5857331","5219772","5979891","6015201","6602311","4276731","6015662","4109812","4584072","4324651","5211741","6004281"],"deployedButNotEnabledCount":125488,"detectionEngine":"suricata","enabledButNotDeployed":[],"enabledButNotDeployedCount":0,"intCheckId":"f8324869-7b5d-475d-92e0-8e8d5adcc2f6","syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"warn","timestamp":"2024-09-23T06:56:58.193359639Z","message":"integrity check failed"}
{"fields":{"detectionEngine":"suricata","error":"integrity check failed; discrepancies found","syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"error","timestamp":"2024-09-23T06:56:58.193426747Z","message":"post-sync integrity check failed"}
{"fields":{"detectionEngine":"suricata","syncDuration":18.149675256,"syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"info","timestamp":"2024-09-23T06:56:58.193434173Z","message":"sync completed"}
{"fields":{"detectionEngine":"suricata","syncId":"38bc7ebd-8db9-4612-80ad-b63d1b45eb7d"},"level":"info","timestamp":"2024-09-23T06:56:58.193440168Z","message":"sync successful"}
{"fields":{"detectionEngine":"suricata","expectedStartTime":"2024-09-24T06:56:58Z","forceSync":false,"lastSyncSuccess":"true","waitTimeSeconds":86400},"level":"info","timestamp":"2024-09-23T06:56:58.193473083Z","message":"waiting for next community rules sync"}
{"fields":{"requestId":null,"scrollQuery":"{"query":{"bool":{"filter":[],"must":[{"query_string":{"analyze_wildcard":true,"default_field":"","query":"_index: \":so-detection\" AND so_kind: \"detection\" AND so_detection.engine: \"suricata\" AND so_detection.isEnabled: \"true\""}}],"must_not":[],"should":[]}},"size":10000}"},"level":"info","timestamp":"2024-09-23T07:02:25.54653621Z","message":"scrolling Elasticsearch"}
{"fields":{"deployedButNotEnabled":["4634061","6754131","6753601","6506421","5775702","4565801","5832791","6779861","6527881","4286381","6064412","5298551","6515301","4792291","4288401","5636042","5788451","6689591","4619712","4244511"],"deployedButNotEnabledCount":125488,"detectionEngine":"suricata","enabledButNotDeployed":[],"enabledButNotDeployedCount":0,"intCheckId":"66ae17cb-12bd-4839-9752-2cdfdf00e22e"},"level":"warn","timestamp":"2024-09-23T07:02:26.685413464Z","message":"integrity check failed"}
{"fields":{"detectionEngine":"suricata","error":"integrity check failed; discrepancies found"},"level":"error","timestamp":"2024-09-23T07:02:26.685488595Z","message":"integrity check repeat failure, alerting user"}

this is the output for the so-rule-update that seems to complete successfuly:
2024-09-23 06:55:37,977 - - This is idstools-rulecat version 0.6.5; Python: 3.12.5 (main, Aug 13 2024, 01:30:38) [GCC 12.2.0]
2024-09-23 06:55:37,978 - - Forcing Suricata version to 7.0.3.
2024-09-23 06:55:37,978 - - Fetching https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz.
100% - 4475670/4475670
2024-09-23 06:55:40,846 - - Done.
2024-09-23 06:55:40,927 - - Ignoring file rules/emerging-deleted.rules
2024-09-23 06:55:40,927 - - Parsing rules/3coresec.rules.
2024-09-23 06:55:40,928 - - Parsing rules/botcc.portgrouped.rules.
2024-09-23 06:55:40,928 - - Parsing rules/botcc.rules.
2024-09-23 06:55:40,929 - - Parsing rules/ciarmy.rules.
2024-09-23 06:55:40,931 - - Parsing rules/compromised.rules.
2024-09-23 06:55:40,932 - - Parsing rules/drop.rules.
2024-09-23 06:55:40,933 - - Parsing rules/dshield.rules.
2024-09-23 06:55:40,934 - - Parsing rules/emerging-activex.rules.
2024-09-23 06:55:40,951 - - Parsing rules/emerging-adware_pup.rules.
2024-09-23 06:55:40,990 - - Parsing rules/emerging-attack_response.rules.
2024-09-23 06:55:41,014 - - Parsing rules/emerging-chat.rules.
2024-09-23 06:55:41,017 - - Parsing rules/emerging-coinminer.rules.
2024-09-23 06:55:41,018 - - Parsing rules/emerging-current_events.rules.
2024-09-23 06:55:41,024 - - Parsing rules/emerging-dns.rules.
2024-09-23 06:55:41,026 - - Parsing rules/emerging-dos.rules.
2024-09-23 06:55:41,030 - - Parsing rules/emerging-dyn_dns.rules.
2024-09-23 06:55:41,138 - - Parsing rules/emerging-exploit.rules.
2024-09-23 06:55:41,194 - - Parsing rules/emerging-exploit_kit.rules.
2024-09-23 06:55:41,274 - - Parsing rules/emerging-file_sharing.rules.
2024-09-23 06:55:41,279 - - Parsing rules/emerging-ftp.rules.
2024-09-23 06:55:41,282 - - Parsing rules/emerging-games.rules.
2024-09-23 06:55:41,284 - - Parsing rules/emerging-hunting.rules.
2024-09-23 06:55:41,315 - - Parsing rules/emerging-icmp.rules.
2024-09-23 06:55:41,317 - - Parsing rules/emerging-imap.rules.
2024-09-23 06:55:41,318 - - Parsing rules/emerging-inappropriate.rules.
2024-09-23 06:55:41,318 - - Parsing rules/emerging-info.rules.
2024-09-23 06:55:41,445 - - Parsing rules/emerging-ja3.rules.
2024-09-23 06:55:41,447 - - Parsing rules/emerging-malware.rules.
2024-09-23 06:55:42,139 - - Parsing rules/emerging-misc.rules.
2024-09-23 06:55:42,140 - - Parsing rules/emerging-mobile_malware.rules.
2024-09-23 06:55:42,173 - - Parsing rules/emerging-netbios.rules.
2024-09-23 06:55:42,192 - - Parsing rules/emerging-p2p.rules.
2024-09-23 06:55:42,195 - - Parsing rules/emerging-phishing.rules.
2024-09-23 06:55:42,296 - - Parsing rules/emerging-pop3.rules.
2024-09-23 06:55:42,297 - - Parsing rules/emerging-remote_access.rules.
2024-09-23 06:55:42,298 - - Parsing rules/emerging-retired.rules.
2024-09-23 06:55:42,302 - - Parsing rules/emerging-rpc.rules.
2024-09-23 06:55:42,305 - - Parsing rules/emerging-scada.rules.
2024-09-23 06:55:42,308 - - Parsing rules/emerging-scan.rules.
2024-09-23 06:55:42,316 - - Parsing rules/emerging-shellcode.rules.
2024-09-23 06:55:42,320 - - Parsing rules/emerging-smtp.rules.
2024-09-23 06:55:42,321 - - Parsing rules/emerging-snmp.rules.
2024-09-23 06:55:42,322 - - Parsing rules/emerging-sql.rules.
2024-09-23 06:55:42,329 - - Parsing rules/emerging-ta_abused_services.rules.
2024-09-23 06:55:42,331 - - Parsing rules/emerging-telnet.rules.
2024-09-23 06:55:42,332 - - Parsing rules/emerging-tftp.rules.
2024-09-23 06:55:42,332 - - Parsing rules/emerging-user_agents.rules.
2024-09-23 06:55:42,451 - - Parsing rules/emerging-voip.rules.
2024-09-23 06:55:42,452 - - Parsing rules/emerging-web_client.rules.
2024-09-23 06:55:42,474 - - Parsing rules/emerging-web_server.rules.
2024-09-23 06:55:42,495 - - Parsing rules/emerging-web_specific_apps.rules.
2024-09-23 06:55:42,677 - - Parsing rules/emerging-worm.rules.
2024-09-23 06:55:42,678 - - Parsing rules/threatview_CS_c2.rules.
2024-09-23 06:55:42,678 - - Parsing rules/tor.rules.
2024-09-23 06:55:42,746 - - Loaded 52348 rules.
2024-09-23 06:55:42,766 - - Disabled 0 rules.
2024-09-23 06:55:42,766 - - Enabled 0 rules.
2024-09-23 06:55:42,766 - - Modified 0 rules.
2024-09-23 06:55:42,766 - - Dropped 0 rules.
2024-09-23 06:55:42,800 - - Found 329 required flowbits.
2024-09-23 06:55:42,827 - - Found 136 rules to enable to for flowbit requirements
2024-09-23 06:55:42,858 - - Found 330 required flowbits.
2024-09-23 06:55:42,886 - - Found 0 rules to enable to for flowbit requirements
2024-09-23 06:55:42,886 - - All required rules enabled.
2024-09-23 06:55:42,886 - - Enabled 136 rules for flowbit dependencies.
2024-09-23 06:55:42,886 - - Recording file /nsm/rules/suricata/3coresec.rules with hash 'a05b7619077357d520010ad9fecdd650'.
2024-09-23 06:55:42,886 - - Recording file /nsm/rules/suricata/BSD-License.txt with hash '8328ca9169c49745ab723da8bd612243'.
2024-09-23 06:55:42,886 - - Recording file /nsm/rules/suricata/LICENSE with hash 'ed7a97b04a5e5d7265206fc245fe74ae'.
2024-09-23 06:55:42,886 - - Recording file /nsm/rules/suricata/botcc.portgrouped.rules with hash '1c81eda95af6c8b68c46dde18b87920b'.
2024-09-23 06:55:42,886 - - Recording file /nsm/rules/suricata/botcc.rules with hash '2023cb81cc38a6b6f01e2c1830be3865'.
2024-09-23 06:55:42,886 - - Recording file /nsm/rules/suricata/ciarmy.rules with hash '10d196be7ba9d63538982f24b5d0fb0d'.
2024-09-23 06:55:42,886 - - Recording file /nsm/rules/suricata/classification.config with hash 'c7238be9808d59c028867b29038bf86b'.
2024-09-23 06:55:42,886 - - Recording file /nsm/rules/suricata/compromised-ips.txt with hash '8005ab7d811325934aa32ae9151ef8a1'.
2024-09-23 06:55:42,887 - - Recording file /nsm/rules/suricata/compromised.rules with hash '552e266b623500152cf07a674e26d96c'.
2024-09-23 06:55:42,887 - - Recording file /nsm/rules/suricata/drop.rules with hash 'a1c14538df403508e415cd5519281e58'.
2024-09-23 06:55:42,887 - - Recording file /nsm/rules/suricata/dshield.rules with hash '03e084b66cb49b8e16b95e887d39e900'.
2024-09-23 06:55:42,887 - - Recording file /nsm/rules/suricata/emerging-activex.rules with hash '434ad920a5ac08bae0f5472b07b3eda3'.
2024-09-23 06:55:42,888 - - Recording file /nsm/rules/suricata/emerging-adware_pup.rules with hash 'df74b0ccba27484e35efe5dc99dbbeb4'.
2024-09-23 06:55:42,889 - - Recording file /nsm/rules/suricata/emerging-attack_response.rules with hash '3dc195af3dc19d7b812a658c206eb6e0'.
2024-09-23 06:55:42,889 - - Recording file /nsm/rules/suricata/emerging-chat.rules with hash '789e4afbe34ddfb60fd4d9c601de88ba'.
2024-09-23 06:55:42,889 - - Recording file /nsm/rules/suricata/emerging-coinminer.rules with hash '646c3db0055c6c9511d319a24ffd80c1'.
2024-09-23 06:55:42,889 - - Recording file /nsm/rules/suricata/emerging-current_events.rules with hash '4c6ea3da418ff3d2e7e51136d1f74fb9'.
2024-09-23 06:55:42,889 - - Recording file /nsm/rules/suricata/emerging-dns.rules with hash '5c965e1c5a25b51d51e6a683d9f6f8bb'.
2024-09-23 06:55:42,890 - - Recording file /nsm/rules/suricata/emerging-dos.rules with hash '6f6cf69fec1f08f53c3749f2d5c59e3c'.
2024-09-23 06:55:42,893 - - Recording file /nsm/rules/suricata/emerging-dyn_dns.rules with hash 'f840548858c54b7f08703b2efb22533b'.
2024-09-23 06:55:42,895 - - Recording file /nsm/rules/suricata/emerging-exploit.rules with hash '64e2d9421e1641b6df549d72ee790de3'.
2024-09-23 06:55:42,897 - - Recording file /nsm/rules/suricata/emerging-exploit_kit.rules with hash 'cef4dd5187aef786eb7fd8029b592675'.
2024-09-23 06:55:42,897 - - Recording file /nsm/rules/suricata/emerging-file_sharing.rules with hash '15ffe8faa061a95c41d4cf47ebaa93bf'.
2024-09-23 06:55:42,897 - - Recording file /nsm/rules/suricata/emerging-ftp.rules with hash 'ec9609222cd64bcdc789a9387918f758'.
2024-09-23 06:55:42,897 - - Recording file /nsm/rules/suricata/emerging-games.rules with hash '92d8f41223b1c12ae2ad8432e8900776'.
2024-09-23 06:55:42,898 - - Recording file /nsm/rules/suricata/emerging-hunting.rules with hash '8f92e0df00e1eb3b927cfaa8da577f65'.
2024-09-23 06:55:42,898 - - Recording file /nsm/rules/suricata/emerging-icmp.rules with hash 'a1624728a16ce06fbe99ded063a029ca'.
2024-09-23 06:55:42,898 - - Recording file /nsm/rules/suricata/emerging-imap.rules with hash '6a22d4f261072526dad1691c1982031e'.
2024-09-23 06:55:42,898 - - Recording file /nsm/rules/suricata/emerging-inappropriate.rules with hash '25c5758f4d33dcbc3a56ec6ee1f653f5'.
2024-09-23 06:55:42,901 - - Recording file /nsm/rules/suricata/emerging-info.rules with hash 'e01e58d99b81bb40f53653bc54e7bf16'.
2024-09-23 06:55:42,901 - - Recording file /nsm/rules/suricata/emerging-ja3.rules with hash '073c0f79cd1518da31b522280b0e8183'.
2024-09-23 06:55:42,919 - - Recording file /nsm/rules/suricata/emerging-malware.rules with hash 'a80069351397734247955ba395623ee9'.
2024-09-23 06:55:42,919 - - Recording file /nsm/rules/suricata/emerging-misc.rules with hash '6e3d9d49f0d18a8fcb3f6d7d23ecef2a'.
2024-09-23 06:55:42,920 - - Recording file /nsm/rules/suricata/emerging-mobile_malware.rules with hash '8b361356e8da686f9dfa01f8556bdca6'.
2024-09-23 06:55:42,920 - - Recording file /nsm/rules/suricata/emerging-netbios.rules with hash 'ee304b12cb0758428cfcfb49f3605133'.
2024-09-23 06:55:42,920 - - Recording file /nsm/rules/suricata/emerging-p2p.rules with hash 'cdc758eb6b68d3719b0269abd2b8090b'.
2024-09-23 06:55:42,923 - - Recording file /nsm/rules/suricata/emerging-phishing.rules with hash '47e52bd3f05a906b0e7719b938682531'.
2024-09-23 06:55:42,923 - - Recording file /nsm/rules/suricata/emerging-pop3.rules with hash '52ddb6190b0b0ef8a45dcdb9852dd61f'.
2024-09-23 06:55:42,923 - - Recording file /nsm/rules/suricata/emerging-remote_access.rules with hash 'ad0dddbf2640b23ff5679673fb3f0638'.
2024-09-23 06:55:42,924 - - Recording file /nsm/rules/suricata/emerging-retired.rules with hash '0836ecfd53c8f7f52a6109e3fd9abc78'.
2024-09-23 06:55:42,924 - - Recording file /nsm/rules/suricata/emerging-rpc.rules with hash 'b236cba36618352502b026930acc2dcc'.
2024-09-23 06:55:42,924 - - Recording file /nsm/rules/suricata/emerging-scada.rules with hash '2eccd87363c3042303081419b532d000'.
2024-09-23 06:55:42,924 - - Recording file /nsm/rules/suricata/emerging-scan.rules with hash '26ec9b1e19e67b75928848d20db6ae53'.
2024-09-23 06:55:42,924 - - Recording file /nsm/rules/suricata/emerging-shellcode.rules with hash '85c7cb7b35e3d1c774a07bca898cc5c6'.
2024-09-23 06:55:42,924 - - Recording file /nsm/rules/suricata/emerging-smtp.rules with hash 'a9ee895cb8aecc491ffd973ae92d4a56'.
2024-09-23 06:55:42,924 - - Recording file /nsm/rules/suricata/emerging-snmp.rules with hash '05f35806cf25a65192c853cd7999d4ef'.
2024-09-23 06:55:42,925 - - Recording file /nsm/rules/suricata/emerging-sql.rules with hash '204a5a5edba891ba39dd6cc1a7e66613'.
2024-09-23 06:55:42,925 - - Recording file /nsm/rules/suricata/emerging-ta_abused_services.rules with hash 'c88219efcff0cb2d4a32a0837541a4e7'.
2024-09-23 06:55:42,925 - - Recording file /nsm/rules/suricata/emerging-telnet.rules with hash '6182fd86e7450973845c705c580f42e4'.
2024-09-23 06:55:42,925 - - Recording file /nsm/rules/suricata/emerging-tftp.rules with hash 'a913e915da083ef5b9bc01fe0fc8c6a2'.
2024-09-23 06:55:42,925 - - Recording file /nsm/rules/suricata/emerging-user_agents.rules with hash 'a22e87771d16ca30d3ef25cad30d0a10'.
2024-09-23 06:55:42,925 - - Recording file /nsm/rules/suricata/emerging-voip.rules with hash 'c816aabf741df36311880e3141162332'.
2024-09-23 06:55:42,926 - - Recording file /nsm/rules/suricata/emerging-web_client.rules with hash 'd1e5ca690a13aca7c0711e3e08bbb2b7'.
2024-09-23 06:55:42,926 - - Recording file /nsm/rules/suricata/emerging-web_server.rules with hash 'd38dd7a98b854c744167650989a4a024'.
2024-09-23 06:55:42,933 - - Recording file /nsm/rules/suricata/emerging-web_specific_apps.rules with hash 'd9047b8bd3f6f756dbda891dca6544b1'.
2024-09-23 06:55:42,933 - - Recording file /nsm/rules/suricata/emerging-worm.rules with hash 'a3078a831b32c2923933163232d4270e'.
2024-09-23 06:55:42,933 - - Recording file /nsm/rules/suricata/gpl-2.0.txt with hash 'b234ee4d69f5fce4486a80fdaf4a4263'.
2024-09-23 06:55:42,944 - - Recording file /nsm/rules/suricata/sid-msg.map with hash '20d44e67eee05aa0d663e3d07165bdd1'.
2024-09-23 06:55:42,944 - - Recording file /nsm/rules/suricata/suricata-7.0.3-enhanced-open.txt with hash 'd41d8cd98f00b204e9800998ecf8427e'.
2024-09-23 06:55:42,944 - - Recording file /nsm/rules/suricata/threatview_CS_c2.rules with hash '49d09ca49ac70fed2e79557bc4142efc'.
2024-09-23 06:55:42,945 - - Recording file /nsm/rules/suricata/tor.rules with hash 'c7f6388548fb29e0a421a89e5d6026e5'.
2024-09-23 06:55:45,202 - - Writing rule files to directory /nsm/rules/suricata/: total: 52348; enabled: 39460; added: 0; removed 0; modified: 0
2024-09-23 06:55:45,203 - - Writing /nsm/rules/suricata/3coresec.rules.
2024-09-23 06:55:45,203 - - Writing /nsm/rules/suricata/BSD-License.txt.
2024-09-23 06:55:45,203 - - Writing /nsm/rules/suricata/LICENSE.
2024-09-23 06:55:45,203 - - Writing /nsm/rules/suricata/botcc.portgrouped.rules.
2024-09-23 06:55:45,204 - - Writing /nsm/rules/suricata/botcc.rules.
2024-09-23 06:55:45,204 - - Writing /nsm/rules/suricata/ciarmy.rules.
2024-09-23 06:55:45,206 - - Writing /nsm/rules/suricata/classification.config.
2024-09-23 06:55:45,207 - - Writing /nsm/rules/suricata/compromised-ips.txt.
2024-09-23 06:55:45,207 - - Writing /nsm/rules/suricata/compromised.rules.
2024-09-23 06:55:45,207 - - Writing /nsm/rules/suricata/drop.rules.
2024-09-23 06:55:45,209 - - Writing /nsm/rules/suricata/dshield.rules.
2024-09-23 06:55:45,209 - - Writing /nsm/rules/suricata/emerging-activex.rules.
2024-09-23 06:55:45,222 - - Writing /nsm/rules/suricata/emerging-adware_pup.rules.
2024-09-23 06:55:45,249 - - Writing /nsm/rules/suricata/emerging-attack_response.rules.
2024-09-23 06:55:45,269 - - Writing /nsm/rules/suricata/emerging-chat.rules.
2024-09-23 06:55:45,271 - - Writing /nsm/rules/suricata/emerging-coinminer.rules.
2024-09-23 06:55:45,272 - - Writing /nsm/rules/suricata/emerging-current_events.rules.
2024-09-23 06:55:45,277 - - Writing /nsm/rules/suricata/emerging-dns.rules.
2024-09-23 06:55:45,278 - - Writing /nsm/rules/suricata/emerging-dos.rules.
2024-09-23 06:55:45,281 - - Writing /nsm/rules/suricata/emerging-dyn_dns.rules.
2024-09-23 06:55:45,359 - - Writing /nsm/rules/suricata/emerging-exploit.rules.
2024-09-23 06:55:45,405 - - Writing /nsm/rules/suricata/emerging-exploit_kit.rules.
2024-09-23 06:55:45,457 - - Writing /nsm/rules/suricata/emerging-file_sharing.rules.
2024-09-23 06:55:45,461 - - Writing /nsm/rules/suricata/emerging-ftp.rules.
2024-09-23 06:55:45,463 - - Writing /nsm/rules/suricata/emerging-games.rules.
2024-09-23 06:55:45,466 - - Writing /nsm/rules/suricata/emerging-hunting.rules.
2024-09-23 06:55:45,491 - - Writing /nsm/rules/suricata/emerging-icmp.rules.
2024-09-23 06:55:45,493 - - Writing /nsm/rules/suricata/emerging-imap.rules.
2024-09-23 06:55:45,494 - - Writing /nsm/rules/suricata/emerging-inappropriate.rules.
2024-09-23 06:55:45,494 - - Writing /nsm/rules/suricata/emerging-info.rules.
2024-09-23 06:55:45,572 - - Writing /nsm/rules/suricata/emerging-ja3.rules.
2024-09-23 06:55:45,574 - - Writing /nsm/rules/suricata/emerging-malware.rules.
2024-09-23 06:55:45,993 - - Writing /nsm/rules/suricata/emerging-misc.rules.
2024-09-23 06:55:45,996 - - Writing /nsm/rules/suricata/emerging-mobile_malware.rules.
2024-09-23 06:55:46,023 - - Writing /nsm/rules/suricata/emerging-netbios.rules.
2024-09-23 06:55:46,040 - - Writing /nsm/rules/suricata/emerging-p2p.rules.
2024-09-23 06:55:46,042 - - Writing /nsm/rules/suricata/emerging-phishing.rules.
2024-09-23 06:55:46,126 - - Writing /nsm/rules/suricata/emerging-pop3.rules.
2024-09-23 06:55:46,127 - - Writing /nsm/rules/suricata/emerging-remote_access.rules.
2024-09-23 06:55:46,128 - - Writing /nsm/rules/suricata/emerging-retired.rules.
2024-09-23 06:55:46,131 - - Writing /nsm/rules/suricata/emerging-rpc.rules.
2024-09-23 06:55:46,135 - - Writing /nsm/rules/suricata/emerging-scada.rules.
2024-09-23 06:55:46,137 - - Writing /nsm/rules/suricata/emerging-scan.rules.
2024-09-23 06:55:46,144 - - Writing /nsm/rules/suricata/emerging-shellcode.rules.
2024-09-23 06:55:46,148 - - Writing /nsm/rules/suricata/emerging-smtp.rules.
2024-09-23 06:55:46,149 - - Writing /nsm/rules/suricata/emerging-snmp.rules.
2024-09-23 06:55:46,150 - - Writing /nsm/rules/suricata/emerging-sql.rules.
2024-09-23 06:55:46,156 - - Writing /nsm/rules/suricata/emerging-ta_abused_services.rules.
2024-09-23 06:55:46,158 - - Writing /nsm/rules/suricata/emerging-telnet.rules.
2024-09-23 06:55:46,159 - - Writing /nsm/rules/suricata/emerging-tftp.rules.
2024-09-23 06:55:46,159 - - Writing /nsm/rules/suricata/emerging-user_agents.rules.
2024-09-23 06:55:46,166 - - Writing /nsm/rules/suricata/emerging-voip.rules.
2024-09-23 06:55:46,167 - - Writing /nsm/rules/suricata/emerging-web_client.rules.
2024-09-23 06:55:46,186 - - Writing /nsm/rules/suricata/emerging-web_server.rules.
2024-09-23 06:55:46,204 - - Writing /nsm/rules/suricata/emerging-web_specific_apps.rules.
2024-09-23 06:55:46,354 - - Writing /nsm/rules/suricata/emerging-worm.rules.
2024-09-23 06:55:46,355 - - Writing /nsm/rules/suricata/gpl-2.0.txt.
2024-09-23 06:55:46,355 - - Writing /nsm/rules/suricata/sid-msg.map.
2024-09-23 06:55:46,357 - - Writing /nsm/rules/suricata/suricata-7.0.3-enhanced-open.txt.
2024-09-23 06:55:46,358 - - Writing /nsm/rules/suricata/threatview_CS_c2.rules.
2024-09-23 06:55:46,358 - - Writing /nsm/rules/suricata/tor.rules.
2024-09-23 06:55:46,537 - - Recording file /nsm/rules/suricata/emerging-all.rules with hash 'bc08c9c21d9475e34be175b88808b168'.
2024-09-23 06:55:48,657 - - Writing rules to /nsm/rules/suricata/emerging-all.rules: total: 52348; enabled: 39460; added: 0; removed 0; modified: 0
2024-09-23 06:55:48,849 - - Done.
2024-09-23 06:55:49,080 - - Loading ./rulecat.conf.
2024-09-23 06:55:49,088 - - Fetching http://SO-MGT:7788/suricata/emerging-all.rules.
100% - 31141349/31141349
2024-09-23 06:55:49,181 - - Done.
2024-09-23 06:55:49,192 - - Loading local file /opt/so/rules/nids/suri/local.rules
2024-09-23 06:55:49,192 - - Loading local file /opt/so/rules/nids/suri/misp.rules
2024-09-23 06:55:54,387 - - Loaded 177836 rules.

[dougburks]

@ips972 From #1720:

Start a new discussion instead of replying to somebody else's discussion
Please search to see if you can find similar discussions that may help you. However, in order to avoid confusion, please do NOT reply to somebody else's discussion with your own issue. Instead, please start a new discussion and in that new discussion you can provide a hyperlink to the related discussion.