Suricata is reporting a rule mismatch in the Detections section

[WPTechnician]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

128GB

Storage for /

150GB

Storage for /nsm

6TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I updated from 2.4.60 to 2.4.70 yesterday. I noticed when I logged in that the Detections section had an orange exclamation point. It is reporting that Suricata has a Rule Mismatch. Checking in the hunt section, the error it is throwing is:

"{"fields":{"error":"yaml: unmarshal errors:\n line 266: cannot unmarshal !!map into []*model.Override\n line 271: cannot unmarshal !!map into []*model.Override\n line 276: cannot unmarshal !!map into []*model.Override"},"level":"error","timestamp":"2024-06-06T18:20:06.093138607Z","message":"unable to sync suricata community detections"}"

I am not sure where to look to fix this issue. Thanks!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[defensivedepth]

Can you please post the contents of the following file, from the Manager:

/opt/so/saltstack/local/salt/suricata/thresholding/sids.yaml

[WPTechnician]

Perfect, that was the file I was looking for, there were syntax issues on the three referenced lines and now things are golden. Thanks!