Strelka & Suricata - Rule Mismatch - 2.4.110 #13971
Replies: 2 comments 2 replies
-
|
"Rule Mismatch" means that you have rules deployed on your grid that are not in Detections -- perhaps something local from an earlier version that was maintained through an upgrade. If you look at the Events at the bottom of this log view, there should be more information in the message field about what exactly the mismatch is. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the assistance, I was able to get more information from the message field. I disabled all the customs rules which resulted the rule mismatch status change to "ok" status. Since those customs rules were tailored to our network. If I want to re-enable them, should I give them a different SID in the Detections? Much appreciated |
Beta Was this translation helpful? Give feedback.
-
|
If you want to re-enable them, you'll need to add them through the Detections web interface - if they're YARA or Suricata rules, you should be able to just paste them into the input box that appears when you click the blue plus sign button in the Detections interface. Create the rules, then enable them in Detections and they'll be deployed to your grid. |
Beta Was this translation helpful? Give feedback.
-
|
Most of the customs rules that I disabled were already in the Detections web interface which generated the "rule mismatch". In that case, would it be because they were not written correctly? Or should I just delete my customs rules and re-create them. Much appreciated your assistance |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.110
Installation Method
Security Onion ISO image
Description
upgrading
Installation Type
Distributed
Location
airgap
Hardware Specs
Exceeds minimum requirements
CPU
16
RAM
128G
Storage for /
1T
Storage for /nsm
350M
Network Traffic Collection
tap
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Good day,
I have "Strelka & Suricata - rule mismatch" within Detection menu. Reading some of the release notes, I was thinking by upgrading version (from 2.4.70 to 2.4.110) the rule mismatch would fix by itself. I read discussion #13238 and as I'm a beginner, not sure I correctly understand the suggested process to fix it and maybe it does not apply to my situation.
For Strelka
When I click on "rule mismatch", goes to Hunt and give me this information. It seems there are mistake within the Strelka/YARA file (/opt/so/log/soc/sensorini-server.log).
For Suricata
When I click on "rule mismatch", goes to Hunt and give me this information. Also, after reading SO documentation, I disabled all the rules added within the "local.rules" file but "rule mismatch" still present.
Not sure what is the next step to fix the mismatch, assistance would be much appreciated,
Please let me know for more information, I'll do my best to provide them.
Thanks
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions