Rulemismatch. How I fixed it
#13525
Replies: 1 comment
-
|
This solution is much better: |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I was having the message "ElastAlert: Rule Mismatch" in Detection page.
After many hours of investigation an search, this is what worked for me in Security Onion 2.4:
EDITED: This solution is much better: #13238 (reply in thread)
--------------------- OLD POST BELOW------------------------------
Because of there are many logs and their ubication can change from a version to other, I decide to use Kibana to find this:
1. Find this in kibana, including the quotes
"enabledButNotDeployedCount\":" AND NOT "enabledButNotDeployedCount\":0"Just for curiosity: I was not able to make work a REGEX like this: "enabledButNotDeployedCount":[1-9]" but these other do worked: "enabledButNotDeployedCount":[1]" and "enabledButNotDeployedCount":/[1]/"in KQL and Lucene, I'll thank any help in this way :). This other didn't worked "enabledButNotDeployedCount":[123456789]", "/enabledButNotDeployedCount":[1-9]/", /"enabledButNotDeployedCount":[1-9]"/, "enabledButNotDeployedCount":/[1-9]/"
EDITED: the original solution for me was
cat /opt/so/log/soc/sensoroni-server.log | grep "enabledButNotDeployedCount\":[1-9]"2. Open the most recent and look for message, like this:
Elastalerts sample:
`{"fields":{"deployedButNotEnabled":[],"deployedButNotEnabledCount":0,"detectionEngine":"elastalert","enabledButNotDeployed":["055fb148-60f8-462d-ad16-26926ce050f1"],"enabledButNotDeployedCount":1,"intCheckId":"668ea166-401f-445c-9ab2-5415001275e4"},"level":"warn","timestamp":"2024-08-21T09:25:06.884696656Z","message":"integrity check failed"}
or this:
Suricate sample:
{"fields":{"deployedButNotEnabled":["2055041","2055063","2055079","2055065","2055031","2055048","2054980","2055136","2055169","2055092","2055187","2054974","2054999","2055177","2055029","2054986","2055085","2055047","2055125","2055159"],"deployedButNotEnabledCount":229,"detectionEngine":"suricata","enabledButNotDeployed":["2522858","2522859","2054940","2522857"],"enabledButNotDeployedCount":4,"intCheckId":"d96fe231-12ab-4bad-b800-a9bf6484f376"},"level":"warn","timestamp":"2024-08-09T07:12:15.900333337Z","message":"integrity check failed"}
3. Take the IDs, in my case was Elastalert 055fb148-60f8-462d-ad16-26926ce050f1. In the Suricata sample there are 4 IDs ["2522858","2522859","2054940","2522857"]
4. Find them in Detections, and deactivate them. (Using binocular icon and Status-Disable).
5. In Detections, use "Differential update" and wait.
That was all... 2 days investigating to achieve this solution, I hope it will be useful for someone.
Regards,
Carlos
Beta Was this translation helpful? Give feedback.
All reactions