Suricata: Rule Mismatch after 2.4.70 to 2.4.100 upgrade

[DebianGuru]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

20

RAM

18GB

Storage for /

166G

Storage for /nsm

3.4TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

After an upgrade from 2.4.70 to 2.4.100 via soup, I now see "Suricata: Rule Mismatch" in my Detections tab. I've tried doing a "Full Update" with no luck.
Clicking it an going through the Hunt interface. I see warnings with this message field "{"fields":{"deployedButNotEnabled":[],"deployedButNotEnabledCount":0,"detectionEngine":"suricata","enabledButNotDeployed":["2016162","2823037","2812475","2806939","2810708","2019618","2808394","2856593","2047041","2027246","2032835","2020910","2046374","2522791","2039431","2822929","2809554","2040135","2041998","2006417"],"enabledButNotDeployedCount":23551,"intCheckId":"13eaaeb2-5000-4eb7-b3de-b6418fcea498","syncId":"a4244651-6737-4136-a445-e460fa2f6d04"},"level":"warn","timestamp":"2024-09-25T16:00:51.492365374Z","message":"integrity check failed"}"

If I'm reading that right there are 23,551 rules that are enabled but not deployed (whatever that means). I'm currently using the ET_PRO ruleset, and I think I saw another post that said only ET_OPEN was supported? But this worked in 2.4.70.

Any ideas?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[DebianGuru]

I don't know why, but I had to go to Administration>Configuration. Search for regex, then drop down to soc>config>server>module>suricataengine>disableRegex and add all the regex things that I originally had in /opt/so/saltstack/local/pillar/idstools/soc_idstools.sls, then I actually removed them from the soc_idstools.sls. I suspect the update should have done this, but didn't. All is well now.