Suricata: Rules Mismatch

[Zer0-cyber-web]

Hi all!
Running version 2.4.130 (from ISO) Standalone on vmWare VPS (16 cores, 32MB of RAM, 500Gb of storage). High state - all OK.

Please help to find where I should look... I have this message in Detections section - "Suricata: Rules Mismatch". Diving deeper into Hunt for it (by clicking on that message) - I have information about some 2 items. "event.action" "integrity check failed". SO
Message field for both items is the same:
"{"fields":{"deployedButNotEnabled":["2027867"],"deployedButNotEnabledCount":1,"detectionEngine":"suricata","enabledButNotDeployed":[],"enabledButNotDeployedCount":0,"intCheckId":"9583792c-4b24-4bfc-9e56-019e023c3464","syncId":"05331982-0da0-4a0c-85e7-709b354e7ef5"},"level":"warn","timestamp":"2025-03-24T07:51:28.3789644Z","message":"integrity check failed"}"

soc.fields.deployedButNotEnabled - [ "2027867" ]

I have looked at this rule PublicID 2027867 and found that this rule I disabled right on Alert page while observing alerts. Since that - there was about two reboots (manual, by request on Grid section), and Mismatch still in place.

Documentation sais:
"Rule Mismatch: An integrity check process detected a mismatch between the deployed rules and the enabled rules. The SOC log will note the specific mismatched rules. One possible reason for this is if you had previously added custom rules to /opt/so/saltstack/local/salt/idstools/rules/local.rules. If this is the case, you can remove the rules from that file and then re-add them using the Detections interface."

But I didn't do any custom rules addition outside of web-interface. Only Detection tuning (like suppressing some addresses).

What should I look into to solve this issue? It lookus like I need to "undeploy" that rule somehow, but - how? Solution like "justg enable it back" - is not acceptable, it generates too much noise alerts.
Sorry, if it is some obvious thing, but I failed to find an answer by myself...
Thanks in advance.

[dougburks]

32MB of RAM

Am I correct in assuming that should be 32GB?

I have looked at this rule PublicID 2027867 and found that this rule I disabled right on Alert page while observing alerts. Since that - there was about two reboots (manual, by request on Grid section), and Mismatch still in place.

Have you tried doing a full update as described at https://docs.securityonion.net/en/2.4/detections.html#options?

It lookus like I need to "undeploy" that rule somehow, but - how? Solution like "justg enable it back" - is not acceptable, it generates too much noise alerts.

I understand that you don't want to keep it enabled it permanently, but have you tried re-enabling the rule temporarily and then disabling that to see if that helps get everything in the correct state?

Was this a fresh installation of 2.4.130 or did you upgrade from a previous version?

Have you tried a fresh installation of 2.4.140 (released yesterday)?
https://blog.securityonion.net/2025/03/security-onion-24140-now-available.html

[Zer0-cyber-web]

Hi!
Thanks for your reply!

32MB of RAM

Am I correct in assuming that should be 32GB?

Ah, sorry, yes, sure. GB.

I have looked at this rule PublicID 2027867 and found that this rule I disabled right on Alert page while observing alerts. Since that - there was about two reboots (manual, by request on Grid section), and Mismatch still in place.

Have you tried doing a full update as described at https://docs.securityonion.net/en/2.4/detections.html#options?
Yes, just did - no change.

It lookus like I need to "undeploy" that rule somehow, but - how? Solution like "justg enable it back" - is not acceptable, it generates too much noise alerts.

I understand that you don't want to keep it enabled it permanently, but have you tried re-enabling the rule temporarily and then disabling that to see if that helps get everything in the correct state?

It looks like this did the trick. Togeather with Full Update for Suricata. Just did it after upgrading to 2.4.140 version. After enabling it, making Full Update and then disabling it again with another Full Update - Mismatch is gone.

Was this a fresh installation of 2.4.130 or did you upgrade from a previous version?

Have you tried a fresh installation of 2.4.140 (released yesterday)? https://blog.securityonion.net/2025/03/security-onion-24140-now-available.html
Well, I did upgrade it manually with soup. There were some errors with elastic agent, but rest - finished ok. No changes in Detection status. Fresh install is an ultimate step - there so many settings and attunements already made. And I am not that experinced user yet to save and transfer all those settings.

But there is another Mismatch appeared. This time - with Elastic rules... Now I have some information what I have to play with, so I will try to solve it myself.

Thank you!