Tuning Buton Greyed out for loads of rules.

[AndrewH3215]

Hello, I would appreciate some assistance with an issue I’m encountering. I have two questions:

I’m trying to tune some detections, but I’ve noticed that the tuning option is grayed out for a large number of rules. Do you know why this might be happening? I can still see the rule IDs and names inside /nsm/rules/suricata/sid-msg.map.

https://github.com/user-attachments/assets/8b156504-ec63-4b73-9434-7c33b4a24bf4

What’s odd is that there are duplicates of some rules, but under different IDs.

https://github.com/user-attachments/assets/65ee773f-fe2f-410d-8558-75d235237091

Additionally:

https://github.com/user-attachments/assets/fca9ad78-63c0-4720-b7ef-9b650af89b7e

The detection is listed under the ID shown in the first image.

Could this duplication or ID mismatch be causing the tuning feature to be disabled, as the UI might not be able to correlate the rule ID to bring it up?

---

My second question is about the best approach for tuning rules and where this should be done. I’ve tried tuning some rules through the UI, but in some cases, I’ve found that the flexibility is limited.

For instance, I was considering disabling an untuned rule via the UI and then adding a custom-tuned rule with the same name in /opt/so/rules/nids/suri under local.rules. Would this method work, even after periodic updates? Would the custom rule function like a regular rule?

Would you recommend this method for tuning existing rules outside the UI, or would it be better to edit them directly in all.rules (or wherever the rules actually reside)?

Thanks a lot in advance !

[dougburks]

I’m trying to tune some detections, but I’ve noticed that the tuning option is grayed out for a large number of rules. Do you know why this might be happening? I can still see the rule IDs and names inside /nsm/rules/suricata/sid-msg.map.

Have you added any rulesets other than the default ETOPEN ruleset?

Have you added any specific rules?

My second question is about the best approach for tuning rules and where this should be done.

We recommend tuning rules via the UI as shown in the documentation:
https://docs.securityonion.net/en/2.4/nids.html

I’ve tried tuning some rules through the UI, but in some cases, I’ve found that the flexibility is limited.
For instance, I was considering disabling an untuned rule via the UI and then adding a custom-tuned rule with the same name in /opt/so/rules/nids/suri under local.rules. Would this method work, even after periodic updates? Would the custom rule function like a regular rule?

You should be able to disable an untuned rule via the UI and then add a custom-tuned rule via the UI:
https://docs.securityonion.net/en/2.4/nids.html#adding-new-nids-rules

[AndrewH3215]

Hi @dougburks . Yes , I have added the OPNsense ruleset .

[dougburks]

How exactly did you add that ruleset?

Have you tried reverting that change to see if Detections works as expected with the default ETOPEN rules?

[AndrewH3215]

I deleted the all-rules file , and recompiled everything from OPNsense into a new all-rules file before replacing them. It's messy , I am completely aware . I haven't , I might try resetting to the defaults .

[dougburks]

Yes, please reset to defaults and see if that helps. If and when you decide to add another ruleset in the future, please make sure you follow the documentation:
https://docs.securityonion.net/en/2.4/nids.html#changing-to-a-different-ruleset