Detections: adding custom Suricata rule works, but causes rule mismatch status

[zfcarsonb]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

Manager: 8 cores, Forward: 28 cores, Search: 16

RAM

Manager: 32 Gb, Forward: 128 Gb, Search: 128 Gb

Storage for /

Manager: 85 Gb, Forward: 300 Gb, Search: 315 Gb

Storage for /nsm

Manager: 170 Gb, Forward: 15 TB, Search: 24 TB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi all,

I'm having trouble trying to understand what is causing the "Rule Mismatch" status for Suricata in the new Detections module. In short, the sync always succeeds, unless I add a custom Suricata rule using the new UI. Adding a new Suricata rule through the Detections UI causes the "Rule Mismatch" error.

When adding a rule through the UI, these are the steps I take:

1. Go to SOC -> Detections -> Add Rule
2. Select language Suricata
3. Paste in custom signature
4. Save.
5. Check the enable box in Detections UI.

An example custom rule (in case it's some obvious syntax error or something):

"Alert when a connection is made to a service that uses an internal CA."

alert tls $HOME_NET any -> $HOME_NET any (msg:"CB ALERT_TEST TLS connection using XYZCompany internal certificate authority"; flow:established,to_client; tls.cert_subject; content:"XYZCompany Certificate CN"; fast_pattern; classtype:not-suspicious; metadata: signature_severity Informational, created_at 2024_06_07, updated_at 2024_06_07; sid: 30001002; rev:1;)

The rule is successfully added to Detections:

Furthermore, the rule is deployed and enabled on all sensor nodes:

The SID was also successfully added to the idstools enabled pillar:

 
However, after sync is complete (by waiting, or by clicking Differential or Full Update buttons), the status for Suricata is still somehow Rule Mismatch. I am quite perplexed by this; nothing seems to be out-of-sync, at least from first glance.

Looking at the Integrity Check Report logs, I find my SID listed under "deployedButNotEnabled":

{"fields":{"deployedButNotEnabled":["30001002"],"detectionEngine":"suricata","enabledButNotDeployed":[],"intCheckId":"34ff33b9-88e4-4abc-b7b4-6629400af8e5"},"level":"info","timestamp":"2024-06-07T19:18:06.567001022Z","message":"integrity check report"}

This doesn't make sense to me, because the rule appears in all.rules on the master and sensors.

If anyone has guidance on what might be the culprit, that would be much appreciated.
Thanks!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[defensivedepth]

This afternoon we internally confirmed this as a bug. We are working on a fix.

The custom rule is deployed just fine, it is the integrity check that is not working as expected.

[zfcarsonb]

Thanks for all the hard work you all have put into Detections! Even with the initial bugs, it looks like it will greatly enhance and consolidate the process of managing signatures!

[oneCrazyAdmin]

I thought that I was losing my mind. Thanks for the update

[defensivedepth]

@zfcarsonb @oneCrazyAdmin 2.4.80 was released yesterday and has a number of fixes for Detections. I would suggest upgrading and seeing if that fixes the issue.

[oneCrazyAdmin]

It worked for me! I am now working through my old local.rules file and adding them into the detections.

[zfcarsonb]

Same here! Thanks again to everyone at Security Onion Solutions for creating the Detections system. It truly is an amazing improvement!

[defensivedepth]

Good to hear!!

[defensivedepth]

@oneCrazyAdmin Also, if you have a bunch of local rules, you can add them via a new option in .80: https://docs.securityonion.net/en/2.4/nids.html#other

[majungman]

hi , any ideas how i can manage my custom rules i added in the previous version ? As i cant find the custom rules i added previously in the newest version in the detection page as referred to the fig.

Thanks

[defensivedepth]

@majungman Please start a new Discussion.