No Suricata rules after modifying the ruleset for ETPRO with a valid oinkcode and forcing the Suricata update

[Anadema]

Version

xxx

Installation Method

xxx

Description

xxx

Installation Type

xxx

Location

xxx

Hardware Specs

xxx

CPU

xxx

RAM

xxx

Storage for /

xxx

Storage for /nsm

xxx

Network Traffic Collection

xxx

Network Traffic Speeds

xxx

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,

How to check if ruleset modification is ok?

What documentation haven't I read?

Of course I have internet, I even did the security onion complete update, it works very well.

I'm also interested in adding a url to manage the rule from Git but that will be another question....

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[Anadema]

In fact I have one rule, but it's the rule I created myself :)

And in case you ask the content of /opt/so/rules/nids/suri

And a manual download of the rule, I have hidden the url of course

[Anadema]

In found something and I try to debug myself, I have used the command:

sudo so-rule-update

And the magic happened all rules was downloaded

After I use this:

sudo so-suricata-restart

But it's the same in the interface, so I launch a new update with the option in detection tab, and now I'm waiting...

[Anadema]

I think the interface configuration doesn't work as I configured and something is not clear for me.

It works, but I have just an issue here, maybe mix interface and command is not very good.

If I click on it, I discover that I have 14 rules of detection not enabled

"deployedButNotEnabledCount":14

I filter with a sid:(xxx) with the 14 SID and the rule disappear from the interface, but always the same synchro I launch a full update on suricata and go sleep, will see tomorrow.

[Anadema]

Ok 13 rules have disappeared from mismacth, I only have one left and when I extract its sid and try to find it in the detection, there is nothing ... I'll find it.

I have deactivated it manually in /opt/so/rules/nids/suri/all.rules , update suricata, full update, synchronyze grid and ... A few moment later:

Could you tell me what I did wrong and what is the good way to configure the new ruleset, I don't think the update will work automatically and I will have certainly the same mismatch result if I do it manually?

[Anadema]

It's ok I fixed it myself, just need activated and desactivate rule and wait auto update to check.