New 2.4.111 Install - Elastalert Rule Mismatch

[murph146]

Version

2.4.111

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

32

Storage for /

300

Storage for /nsm

200

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I just did a fresh install of 2.4.111 with no custom modifications to rules or alerts and detection page is showing an Elastalert Rule Mismatch. Reboot clears the error and then 15-20 minutes it comes back. Hunt shows integrity check failed; discrepancies found. Not positive but it seems like a similar issue or the same was reported to be resolved in an earlier 2.4 release. What's the easiest way to resolve this or do I just reinstall since I haven't put much time into this fresh install yet.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[rh-ops]

Yeah if you're open to doing a fresh install, lets try that and see if the issue persists. Also I'd recommend swapping your / and nsm partitions while you're at it. The nsm should be the one with the most space.

[SanibelJack]

Anyone else have any other recommendations besides a reinstall?

[rh-ops]

If you're dealing with a similar issue, please create a new discussion post for it.

[murph146]

It looks like maybe i spoke too soon because the issue has re-appeared. I see it says there's a discrepancy found which is the same message i was getting before i did the rebuild as recommended, but I don't see what the discrepancies are. Would prepfer to not rebuild this again if possible so any help would be appreciated.

[Fox-E-1337]

I used the following command on my manager node to show all the offending rules, you can build a filter with the list and disable the rules

cat /opt/so/log/soc/sensoroni-server.log | grep "enabledButNotDeployedCount":[0-9]"

[defensivedepth]

@murph146 @SanibelJack We have confirmed that there is an issue with a recently-updated Sigma rule - 24e3e58a-646b-4b50-adef-02ef935b9fc8 - Hacktool Execution - Imphash

For now, search for that rule in Detections and disable it. It will clear up the mismatch.

Our next release will fix the field mapping for that rule.

[SankaGamage]

@murph146 @SanibelJack We have confirmed that there is an issue with a recently-updated Sigma rule - 24e3e58a-646b-4b50-adef-02ef935b9fc8 - Hacktool Execution - Imphash

For now, search for that rule in Detections and disable it. It will clear up the mismatch.

Our next release will fix the field mapping for that rule.

If we disable them, does it affect anything else?

[defensivedepth]

Nope!

[mazda4409]

I have seen this error consistently on the releases for the past 6 months as of 2.4.111 on clean installs. SO as usual throws install errors at the end of the install on fresh hardware, hypervisors, etc. I forgot how I last resolved this, if I find it, I will post it here.

Update:
Reviewed my notes. Last Elast alert that I had before this on a prior release was "Pending." So technically separate error from this. It looks like per my notes that I got out of that through soup lol.
On 2.4.111, I did the following:
run sudo so rule update

sudo so-elastalert-restart
sudo so-suricata-restart
sudo so-test (works) 

Restarted SO VM
ElastAlert works without the mismatch.

Update: back to mismatch about an hour or so into the refresh.

[mazda4409]

Stuck in pending now in Version: 2.4.120.

[defensivedepth]

@mazda4409 Please start a new discussion for a different issue

[mazda4409]

#14278

[Zer0-cyber-web]

If it is an ElastAlert/Sigma rule mismatch on a fresh install, this is because of some changes from the upstream rule provider. We have a fix in for the next release.

Hi. I have again this problem with ElastAlert/Sigma rules Mismatch on new 2.4.140 release.
I have tried to disable that specific Sigma rule and run Full Update - no change.
Should I start new discussion?

[dougburks]

@Zer0-cyber-web Yes, please start a new discussion and provide full details.

[murph146]

Recently updated to 2.4.120 last week and I'm not seeing the ElastAlert Rule Mismatch issue return as of yet.

[defensivedepth]

@murph146 @SanibelJack @mazda4409 @SankaGamage @Fox-E-1337 With the release of .120 last week, we have reworked the field mappings for the Sigma rules that were causing this issue. Please let me know if you continue to see it post-upgrade.

[mazda4409]

Elasticsearch has completely failed for me after the upgrade, rebooted and manually restarted.

[defensivedepth]

@mazda4409 Please start a new discussion for this new issue

[mazda4409]

#14278

[SanibelJack]

I’ve noticed a slowdown in processing. Jack Voth CISSP, CISM, CEH Sanibel Cyber Technology, LLC ***@***.******@***.***> www.sanibelcybertechnology.com<http://www.sanibelcybertechnology.com> 239-249-9311 From: Kyler Kent CISSP ***@***.***> Sent: Friday, February 21, 2025 2:28 PM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: Jack Voth ***@***.***>; Mention ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] New 2.4.111 Install - Elastalert Rule Mismatch (Discussion #14049) Elasticsearch has completely failed for me after the upgrade, rebooted and manually restarted. — Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Security-2DOnion-2DSolutions_securityonion_discussions_14049-23discussioncomment-2D12280705&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=EmGJCPNXtWIv4XsZwUb24PJY86ckMBtQUIPmSk3a1t0&m=EB9AA7y5QIl6Av4TvD3tYLfrdE8bJOoOQ5fEAMNtYPZU9bRs5bXeMB0BaxMpnFI5&s=I9NPLx5q2YnhqPQyOVzL1V8y8_4IPkNCUhi2xcj3zk8&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARTMXS33OI6C6SZV62FLHQD2Q545FAVCNFSM6AAAAABUDXFB2KVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMRYGA3TANI&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=EmGJCPNXtWIv4XsZwUb24PJY86ckMBtQUIPmSk3a1t0&m=EB9AA7y5QIl6Av4TvD3tYLfrdE8bJOoOQ5fEAMNtYPZU9bRs5bXeMB0BaxMpnFI5&s=GJvENWiMVnbcZmLwjODfsi8gqxe7gmwPnIqShfnsH4g&e=>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[defensivedepth]

@SanibelJack Please start a new Discussion for this new issue