Detections: ElastAlert, Strelka, and Suricata "Rule Mismatch"

[Yehakin]

Version

2.4.170

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

Manager: 8 CPU

RAM

Manager: 32 GB

Storage for /

82 GB total, 29 GB available

Storage for /nsm

159 GB total, 57 GB available

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

All grid (manager, search, and sensor) node's services are showing green "Running".

Detections tab:

"Total Found: 0"
ElastAlert: Rule Mismatch
Strelka: Rule Mismatch
Suricata: Rule Mismatch

Clicking Options, Suricata "Full Update"

tail -f /opt/so/log/soc/sensoroni-server.log | grep -i suricata

--snip--
{"fields":{"detectionEngine":"suricata","error":"state file present but 0 community rules found","syncDuration":46.940566969,"syncId":"03c831b2-e4b4-4a46-8810-43bf30a12b0e"},"level":"info","timestamp":"2025-08-21T15:44:03.245670391Z","message":"sync completed"}
--snip--
{"fields":{"deployedFilteredOutCount":0,"detectionEngine":"suricata","enabledFilteredOutCount":0,"intCheckId":"af1d9770-2fc3-4eca-92e2-4b857ccccc92","rangesToIgnore":[{"LowerLimit":1100000,"UpperLimit":1101000}]},"level":"info","timestamp":"2025-08-21T15:44:13.324013034Z","message":"ignoring SIDs"}
{"fields":{"deployedButNotEnabled":["2059683","2051427","2034852","2022174","2061261","2014919","2035209","2046121","2048507","2049018","2023775","2032336","2010008","2022472","2403387","2017446","2025288","2101244","2048893","2048406"],"deployedButNotEnabledCount":44331,"detectionEngine":"suricata","enabledButNotDeployed":[],"enabledButNotDeployedCount":0,"intCheckId":"af1d9770-2fc3-4eca-92e2-4b857ccccc92"},"level":"warn","timestamp":"2025-08-21T15:44:13.340228569Z","message":"integrity check failed"}
--snip--

Clicking Suricata: Rule Mismatch goes to Hunt tab and 3 "SOC.server" Events are listed.
One of the event messages reads:
{"fields":{"deployedButNotEnabled":["2053382","2051702","2027002","2042942","2049978","2060340","2103390","2017683","2043545","2028599","2012236","2020259","2012190","2041973","2046564","2058927","2021629","2043234","2030496","2060005"],"deployedButNotEnabledCount":44331,"detectionEngine":"suricata","enabledButNotDeployed":[],"enabledButNotDeployedCount":0,"intCheckId":"2d404682-fac1-4d3d-a41c-1a0e05db2e36"},"level":"warn","timestamp":"2025-08-21T15:04:10.499652366Z","message":"integrity check failed"}

so-elasticsearch-query _cluster/health?pretty

{
"cluster_name" : "securityonion",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 2,
"number_of_data_nodes" : 2,
"active_primary_shards" : 95,
"active_shards" : 167,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"unassigned_primary_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}

Thanks in advance for any assistance.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

{"fields":{"deployedButNotEnabled":["2053382","2051702","2027002","2042942","2049978","2060340","2103390","2017683","2043545","2028599","2012236","2020259","2012190","2041973","2046564","2058927","2021629","2043234","2030496","2060005"],"deployedButNotEnabledCount":44331,

Looks like there are a bunch of rules deployed but not enabled.

What does your idstools pillar look like? sudo salt-call pillar.get idstools

[Yehakin]

I've searched several logs in /opt/so/log for any helpful clues, but nothing found other what I've previously listed.

Performing a query using valid keyword(s) in the Detections tab returns nothing.

In the Alerts tab, selecting an alert item, the selection menu "Tune Detection" is greyed out.

Is there a setting in Administration > Configuration that I check to make sure it's enabled for Detections?

Is there a configuration file and contents I can verify for Detections?

[cm-ops]

Look in /opt/so/log/soc/sensoroni-server.log for Detections. Your pillar looks like it is missing disabled and enabled. Like below:

[root@so-managersearch ~]# salt-call pillar.get idstools
local:
    ----------
    enabled:
        True
    sids:
        ----------
        disabled:
        enabled:
            - 2028869
            - 2026889
        modify:
            - 2024699 "flowbits" "noalert; flowbits"
            - 2010500 "flowbits" "noalert; flowbits"
            - 2010501 "flowbits" "noalert; flowbits"
            - 2025303 "flowbits" "noalert; flowbits"

[Yehakin]

Added enabled: and disabled: to /opt/so/saltstack/local/pillar/idstools/soc_idstools.sls

salt-call state.highstate

no errors

waited about 30 minutes, checked Detections tab, still shows "Rule Mismatch".
Rebooted all grid nodes, Detections tab, still shows "Rule Mismatch".

Checked the /opt/so/log/soc/sensoroni-server.log for detection errors, found same/similar as previously described.
"deployedButNotEnabledCount":44331

Does "44331" mean I need to manually add all those SIDs to the enabled: section in the .sls config file for Detections tab to start working again?

so-rule-update

2025-08-27 16:00:45,281 - - This is idstools-rulecat version 0.6.5; Python: 3.13.3 (main, May 21 2025, 23:35:07) [GCC 12.2.0]
2025-08-27 16:00:45,282 - - Forcing Suricata version to 7.0.3.
2025-08-27 16:00:45,282 - - Fetching https://rules.emergingthreats.net/open/suricata-7.0.3/emerging.rules.tar.gz.
100% - 5037117/5037117
2025-08-27 16:00:45,573 - - Done.
2025-08-27 16:00:45,716 - - Ignoring file rules/emerging-deleted.rules
2025-08-27 16:00:45,717 - - Parsing rules/botcc.portgrouped.rules.
2025-08-27 16:00:45,717 - - Parsing rules/botcc.rules.
2025-08-27 16:00:45,717 - - Parsing rules/ciarmy.rules.
2025-08-27 16:00:45,721 - - Parsing rules/compromised.rules.
2025-08-27 16:00:45,721 - - Parsing rules/drop.rules.
2025-08-27 16:00:45,724 - - Parsing rules/dshield.rules.
2025-08-27 16:00:45,724 - - Parsing rules/emerging-activex.rules.
2025-08-27 16:00:45,747 - - Parsing rules/emerging-adware_pup.rules.
2025-08-27 16:00:45,795 - - Parsing rules/emerging-attack_response.rules.
2025-08-27 16:00:45,832 - - Parsing rules/emerging-chat.rules.
2025-08-27 16:00:45,836 - - Parsing rules/emerging-coinminer.rules.
2025-08-27 16:00:45,837 - - Parsing rules/emerging-current_events.rules.
2025-08-27 16:00:45,847 - - Parsing rules/emerging-dns.rules.
2025-08-27 16:00:45,849 - - Parsing rules/emerging-dos.rules.
2025-08-27 16:00:45,854 - - Parsing rules/emerging-dyn_dns.rules.
2025-08-27 16:00:46,014 - - Parsing rules/emerging-exploit.rules.
2025-08-27 16:00:46,105 - - Parsing rules/emerging-exploit_kit.rules.
2025-08-27 16:00:46,299 - - Parsing rules/emerging-file_sharing.rules.
2025-08-27 16:00:46,306 - - Parsing rules/emerging-ftp.rules.
2025-08-27 16:00:46,310 - - Parsing rules/emerging-games.rules.
2025-08-27 16:00:46,313 - - Parsing rules/emerging-hunting.rules.
2025-08-27 16:00:46,365 - - Parsing rules/emerging-icmp.rules.
2025-08-27 16:00:46,368 - - Parsing rules/emerging-imap.rules.
2025-08-27 16:00:46,370 - - Parsing rules/emerging-inappropriate.rules.
2025-08-27 16:00:46,371 - - Parsing rules/emerging-info.rules.
2025-08-27 16:00:46,575 - - Parsing rules/emerging-ja3.rules.
2025-08-27 16:00:46,581 - - Parsing rules/emerging-malware.rules.
2025-08-27 16:00:47,782 - - Parsing rules/emerging-misc.rules.
2025-08-27 16:00:47,784 - - Parsing rules/emerging-mobile_malware.rules.
2025-08-27 16:00:47,835 - - Parsing rules/emerging-netbios.rules.
2025-08-27 16:00:47,866 - - Parsing rules/emerging-p2p.rules.
2025-08-27 16:00:47,871 - - Parsing rules/emerging-phishing.rules.
2025-08-27 16:00:48,015 - - Parsing rules/emerging-pop3.rules.
2025-08-27 16:00:48,016 - - Parsing rules/emerging-remote_access.rules.
2025-08-27 16:00:48,019 - - Parsing rules/emerging-retired.rules.
2025-08-27 16:00:48,040 - - Parsing rules/emerging-rpc.rules.
2025-08-27 16:00:48,046 - - Parsing rules/emerging-scada.rules.
2025-08-27 16:00:48,050 - - Parsing rules/emerging-scan.rules.
2025-08-27 16:00:48,062 - - Parsing rules/emerging-shellcode.rules.
2025-08-27 16:00:48,069 - - Parsing rules/emerging-smtp.rules.
2025-08-27 16:00:48,070 - - Parsing rules/emerging-snmp.rules.
2025-08-27 16:00:48,072 - - Parsing rules/emerging-sql.rules.
2025-08-27 16:00:48,082 - - Parsing rules/emerging-ta_abused_services.rules.
2025-08-27 16:00:48,086 - - Parsing rules/emerging-telnet.rules.
2025-08-27 16:00:48,087 - - Parsing rules/emerging-tftp.rules.
2025-08-27 16:00:48,088 - - Parsing rules/emerging-user_agents.rules.
2025-08-27 16:00:48,100 - - Parsing rules/emerging-voip.rules.
2025-08-27 16:00:48,101 - - Parsing rules/emerging-web_client.rules.
2025-08-27 16:00:48,136 - - Parsing rules/emerging-web_server.rules.
2025-08-27 16:00:48,169 - - Parsing rules/emerging-web_specific_apps.rules.
2025-08-27 16:00:48,631 - - Parsing rules/emerging-worm.rules.
2025-08-27 16:00:48,632 - - Parsing rules/threatview_CS_c2.rules.
2025-08-27 16:00:48,633 - - Parsing rules/tor.rules.
2025-08-27 16:00:48,754 - - Loaded 60150 rules.
2025-08-27 16:00:48,803 - - Disabled 0 rules.
2025-08-27 16:00:48,803 - - Enabled 0 rules.
2025-08-27 16:00:48,803 - - Modified 0 rules.
2025-08-27 16:00:48,803 - - Dropped 0 rules.
2025-08-27 16:00:48,865 - - Found 365 required flowbits.
2025-08-27 16:00:48,918 - - Found 136 rules to enable to for flowbit requirements
2025-08-27 16:00:48,980 - - Found 366 required flowbits.
2025-08-27 16:00:49,033 - - Found 0 rules to enable to for flowbit requirements
2025-08-27 16:00:49,033 - - All required rules enabled.
2025-08-27 16:00:49,033 - - Enabled 136 rules for flowbit dependencies.
2025-08-27 16:00:49,033 - - Recording file /nsm/rules/suricata/BSD-License.txt with hash 'bb118136c42d42c13da4e522ab3197f1'.
2025-08-27 16:00:49,033 - - Recording file /nsm/rules/suricata/LICENSE with hash '2c295b8686f53df3654d50343b95bb2e'.
2025-08-27 16:00:49,034 - - Recording file /nsm/rules/suricata/botcc.portgrouped.rules with hash 'e930e9df390ae547370c49bd6a7f4af9'.
2025-08-27 16:00:49,034 - - Recording file /nsm/rules/suricata/botcc.rules with hash '4c1dd4591241799ca924eb1e9b09922a'.
2025-08-27 16:00:49,034 - - Recording file /nsm/rules/suricata/ciarmy.rules with hash 'b74ba595658557c9a5648ce666ebb58d'.
2025-08-27 16:00:49,034 - - Recording file /nsm/rules/suricata/classification.config with hash '97383e1aed3414abd362f582a00ab21e'.
2025-08-27 16:00:49,034 - - Recording file /nsm/rules/suricata/compromised-ips.txt with hash 'f438bd01ec2cb9054bbcd096d82ad71e'.
2025-08-27 16:00:49,034 - - Recording file /nsm/rules/suricata/compromised.rules with hash '3e1f7396cda43f95293c461e59d0d3ff'.
2025-08-27 16:00:49,035 - - Recording file /nsm/rules/suricata/drop.rules with hash 'ffb48d88fe7b754b8431e12dcf21ffef'.
2025-08-27 16:00:49,035 - - Recording file /nsm/rules/suricata/dshield.rules with hash '8cb8f4b1c8267a64679d23d141af6f75'.
2025-08-27 16:00:49,036 - - Recording file /nsm/rules/suricata/emerging-activex.rules with hash '8e3f60d7da21559d7568e0955e7f87c6'.
2025-08-27 16:00:49,037 - - Recording file /nsm/rules/suricata/emerging-adware_pup.rules with hash 'e15b3effe33a12d30d146957aaf667ec'.
2025-08-27 16:00:49,038 - - Recording file /nsm/rules/suricata/emerging-attack_response.rules with hash 'c874306ce6c444c01032b4ef68187d35'.
2025-08-27 16:00:49,038 - - Recording file /nsm/rules/suricata/emerging-chat.rules with hash '7929a1cd8154048852aa080970fa8799'.
2025-08-27 16:00:49,038 - - Recording file /nsm/rules/suricata/emerging-coinminer.rules with hash 'dfec3f0ea115c404beaf3456d1fe5e0f'.
2025-08-27 16:00:49,039 - - Recording file /nsm/rules/suricata/emerging-current_events.rules with hash '0d131434ecb17f8847275a22dea11c28'.
2025-08-27 16:00:49,039 - - Recording file /nsm/rules/suricata/emerging-dns.rules with hash 'd17f0b3d89e224b0f68bc44de41f2b17'.
2025-08-27 16:00:49,039 - - Recording file /nsm/rules/suricata/emerging-dos.rules with hash 'f36cae34abfae1c03cdbd04184af1cab'.
2025-08-27 16:00:49,045 - - Recording file /nsm/rules/suricata/emerging-dyn_dns.rules with hash 'a270d052de4cb51ae559a8375e40dff1'.
2025-08-27 16:00:49,048 - - Recording file /nsm/rules/suricata/emerging-exploit.rules with hash '77e7d5557b5ec53e7f27e362fac7c752'.
2025-08-27 16:00:49,053 - - Recording file /nsm/rules/suricata/emerging-exploit_kit.rules with hash 'fb80a3b83b1099dce6f68c491cc496ee'.
2025-08-27 16:00:49,054 - - Recording file /nsm/rules/suricata/emerging-file_sharing.rules with hash '9c4c3b44508e9e53356f659349d40aa4'.
2025-08-27 16:00:49,054 - - Recording file /nsm/rules/suricata/emerging-ftp.rules with hash 'e8150d037917a967f974e7caf21bbc4e'.
2025-08-27 16:00:49,054 - - Recording file /nsm/rules/suricata/emerging-games.rules with hash '4e4eadcc3f3818ae083054da84173536'.
2025-08-27 16:00:49,056 - - Recording file /nsm/rules/suricata/emerging-hunting.rules with hash 'a55160300b9157c4bd7e4fcbc4060bac'.
2025-08-27 16:00:49,056 - - Recording file /nsm/rules/suricata/emerging-icmp.rules with hash 'bb6b155f802e043227efa71c68f27dcd'.
2025-08-27 16:00:49,056 - - Recording file /nsm/rules/suricata/emerging-imap.rules with hash '550a800724807e7f632f4a06d6cbb63c'.
2025-08-27 16:00:49,056 - - Recording file /nsm/rules/suricata/emerging-inappropriate.rules with hash 'ddb9043a06a1fe01603a3f85eff233a5'.
2025-08-27 16:00:49,061 - - Recording file /nsm/rules/suricata/emerging-info.rules with hash '854c269d5aa536ad912674e502dc0dc7'.
2025-08-27 16:00:49,061 - - Recording file /nsm/rules/suricata/emerging-ja3.rules with hash 'aa787d3c3dc732a5139ba69f825b3742'.
2025-08-27 16:00:49,092 - - Recording file /nsm/rules/suricata/emerging-malware.rules with hash '7a6ad388843d1e723099b76110a570b8'.
2025-08-27 16:00:49,092 - - Recording file /nsm/rules/suricata/emerging-misc.rules with hash 'c5b343483fd17ccbb2a57d7da7df4bb5'.
2025-08-27 16:00:49,094 - - Recording file /nsm/rules/suricata/emerging-mobile_malware.rules with hash '87c892e4d4888032938cef4b315db6d9'.
2025-08-27 16:00:49,094 - - Recording file /nsm/rules/suricata/emerging-netbios.rules with hash '3d3920fcd195188ab1008d7ddd009f25'.
2025-08-27 16:00:49,095 - - Recording file /nsm/rules/suricata/emerging-p2p.rules with hash '34b8fbfb91bf8262a4693d4790928138'.
2025-08-27 16:00:49,099 - - Recording file /nsm/rules/suricata/emerging-phishing.rules with hash '22abf79ceaaba2bc0d74a27b659d88a3'.
2025-08-27 16:00:49,099 - - Recording file /nsm/rules/suricata/emerging-pop3.rules with hash '3028f110ab492c44efe6505228862d13'.
2025-08-27 16:00:49,099 - - Recording file /nsm/rules/suricata/emerging-remote_access.rules with hash 'fe0b2ad4751be274df6ef555b95a9bc4'.
2025-08-27 16:00:49,100 - - Recording file /nsm/rules/suricata/emerging-retired.rules with hash '950c6b83dbdb648577bf5a46f3aff52f'.
2025-08-27 16:00:49,100 - - Recording file /nsm/rules/suricata/emerging-rpc.rules with hash 'e8cd4557abec514e2d95a7ccfa30b4a6'.
2025-08-27 16:00:49,100 - - Recording file /nsm/rules/suricata/emerging-scada.rules with hash 'd6c28ce5c5f435d7d1f2e2ff8b688b04'.
2025-08-27 16:00:49,100 - - Recording file /nsm/rules/suricata/emerging-scan.rules with hash '3c18f1bfe631c68ed4c4fb66ede8b209'.
2025-08-27 16:00:49,101 - - Recording file /nsm/rules/suricata/emerging-shellcode.rules with hash '5b77ae935e714b4fd4f982462ed5958b'.
2025-08-27 16:00:49,101 - - Recording file /nsm/rules/suricata/emerging-smtp.rules with hash 'c21462dd02b4a77d4c17eecaef6ebf8f'.
2025-08-27 16:00:49,101 - - Recording file /nsm/rules/suricata/emerging-snmp.rules with hash 'd570a75b90c70b654e379db263d701a2'.
2025-08-27 16:00:49,101 - - Recording file /nsm/rules/suricata/emerging-sql.rules with hash '2acc994cfa7fdc26116a7129d4b275e7'.
2025-08-27 16:00:49,102 - - Recording file /nsm/rules/suricata/emerging-ta_abused_services.rules with hash 'bb530891b06f46b63395173e144ac022'.
2025-08-27 16:00:49,102 - - Recording file /nsm/rules/suricata/emerging-telnet.rules with hash '4050611976477e7f01e120bec171cb48'.
2025-08-27 16:00:49,102 - - Recording file /nsm/rules/suricata/emerging-tftp.rules with hash 'b8a5a1e944f62eba15cd2fb5e34772c9'.
2025-08-27 16:00:49,102 - - Recording file /nsm/rules/suricata/emerging-user_agents.rules with hash '1903da5a69c8fb8d8ca9fbbb34528475'.
2025-08-27 16:00:49,102 - - Recording file /nsm/rules/suricata/emerging-voip.rules with hash '53970d4e1703b553c9bd95d0f7e394f6'.
2025-08-27 16:00:49,103 - - Recording file /nsm/rules/suricata/emerging-web_client.rules with hash '5eb792b01ed7b85669a8fdfab8a9203c'.
2025-08-27 16:00:49,104 - - Recording file /nsm/rules/suricata/emerging-web_server.rules with hash '1b3a0071aae564750f2cb63f8d8d3d42'.
2025-08-27 16:00:49,115 - - Recording file /nsm/rules/suricata/emerging-web_specific_apps.rules with hash '9a5768f0d3ed4b5f475031771402ba2a'.
2025-08-27 16:00:49,116 - - Recording file /nsm/rules/suricata/emerging-worm.rules with hash '3e7a6fbfb5e971d830ac9e458384c6d1'.
2025-08-27 16:00:49,116 - - Recording file /nsm/rules/suricata/gpl-2.0.txt with hash 'b234ee4d69f5fce4486a80fdaf4a4263'.
2025-08-27 16:00:49,133 - - Recording file /nsm/rules/suricata/sid-msg.map with hash 'b85b6adecb0b9386e110bf07261de8a5'.
2025-08-27 16:00:49,133 - - Recording file /nsm/rules/suricata/suricata-7.0.3-enhanced-open.txt with hash 'd41d8cd98f00b204e9800998ecf8427e'.
2025-08-27 16:00:49,133 - - Recording file /nsm/rules/suricata/threatview_CS_c2.rules with hash '69a64bc0a46b068496b15c03eadf383a'.
2025-08-27 16:00:49,134 - - Recording file /nsm/rules/suricata/tor.rules with hash '6575f9813a862f69326b733f0ee3beb8'.
2025-08-27 16:00:53,037 - - Writing rule files to directory /nsm/rules/suricata/: total: 60150; enabled: 44425; added: 0; removed 0; modified: 0
2025-08-27 16:00:53,038 - - Writing /nsm/rules/suricata/BSD-License.txt.
2025-08-27 16:00:53,038 - - Writing /nsm/rules/suricata/LICENSE.
2025-08-27 16:00:53,038 - - Writing /nsm/rules/suricata/botcc.portgrouped.rules.
2025-08-27 16:00:53,039 - - Writing /nsm/rules/suricata/botcc.rules.
2025-08-27 16:00:53,039 - - Writing /nsm/rules/suricata/ciarmy.rules.
2025-08-27 16:00:53,043 - - Writing /nsm/rules/suricata/classification.config.
2025-08-27 16:00:53,043 - - Writing /nsm/rules/suricata/compromised-ips.txt.
2025-08-27 16:00:53,044 - - Writing /nsm/rules/suricata/compromised.rules.
2025-08-27 16:00:53,045 - - Writing /nsm/rules/suricata/drop.rules.
2025-08-27 16:00:53,047 - - Writing /nsm/rules/suricata/dshield.rules.
2025-08-27 16:00:53,048 - - Writing /nsm/rules/suricata/emerging-activex.rules.
2025-08-27 16:00:53,070 - - Writing /nsm/rules/suricata/emerging-adware_pup.rules.
2025-08-27 16:00:53,114 - - Writing /nsm/rules/suricata/emerging-attack_response.rules.
2025-08-27 16:00:53,147 - - Writing /nsm/rules/suricata/emerging-chat.rules.
2025-08-27 16:00:53,150 - - Writing /nsm/rules/suricata/emerging-coinminer.rules.
2025-08-27 16:00:53,152 - - Writing /nsm/rules/suricata/emerging-current_events.rules.
2025-08-27 16:00:53,161 - - Writing /nsm/rules/suricata/emerging-dns.rules.
2025-08-27 16:00:53,163 - - Writing /nsm/rules/suricata/emerging-dos.rules.
2025-08-27 16:00:53,167 - - Writing /nsm/rules/suricata/emerging-dyn_dns.rules.
2025-08-27 16:00:53,311 - - Writing /nsm/rules/suricata/emerging-exploit.rules.
2025-08-27 16:00:53,391 - - Writing /nsm/rules/suricata/emerging-exploit_kit.rules.
2025-08-27 16:00:53,533 - - Writing /nsm/rules/suricata/emerging-file_sharing.rules.
2025-08-27 16:00:53,540 - - Writing /nsm/rules/suricata/emerging-ftp.rules.
2025-08-27 16:00:53,545 - - Writing /nsm/rules/suricata/emerging-games.rules.
2025-08-27 16:00:53,548 - - Writing /nsm/rules/suricata/emerging-hunting.rules.
2025-08-27 16:00:53,594 - - Writing /nsm/rules/suricata/emerging-icmp.rules.
2025-08-27 16:00:53,598 - - Writing /nsm/rules/suricata/emerging-imap.rules.
2025-08-27 16:00:53,599 - - Writing /nsm/rules/suricata/emerging-inappropriate.rules.
2025-08-27 16:00:53,601 - - Writing /nsm/rules/suricata/emerging-info.rules.
2025-08-27 16:00:53,747 - - Writing /nsm/rules/suricata/emerging-ja3.rules.
2025-08-27 16:00:53,751 - - Writing /nsm/rules/suricata/emerging-malware.rules.
2025-08-27 16:00:54,621 - - Writing /nsm/rules/suricata/emerging-misc.rules.
2025-08-27 16:00:54,626 - - Writing /nsm/rules/suricata/emerging-mobile_malware.rules.
2025-08-27 16:00:54,671 - - Writing /nsm/rules/suricata/emerging-netbios.rules.
2025-08-27 16:00:54,698 - - Writing /nsm/rules/suricata/emerging-p2p.rules.
2025-08-27 16:00:54,702 - - Writing /nsm/rules/suricata/emerging-phishing.rules.
2025-08-27 16:00:54,848 - - Writing /nsm/rules/suricata/emerging-pop3.rules.
2025-08-27 16:00:54,849 - - Writing /nsm/rules/suricata/emerging-remote_access.rules.
2025-08-27 16:00:54,853 - - Writing /nsm/rules/suricata/emerging-retired.rules.
2025-08-27 16:00:54,874 - - Writing /nsm/rules/suricata/emerging-rpc.rules.
2025-08-27 16:00:54,879 - - Writing /nsm/rules/suricata/emerging-scada.rules.
2025-08-27 16:00:54,883 - - Writing /nsm/rules/suricata/emerging-scan.rules.
2025-08-27 16:00:54,895 - - Writing /nsm/rules/suricata/emerging-shellcode.rules.
2025-08-27 16:00:54,901 - - Writing /nsm/rules/suricata/emerging-smtp.rules.
2025-08-27 16:00:54,902 - - Writing /nsm/rules/suricata/emerging-snmp.rules.
2025-08-27 16:00:54,904 - - Writing /nsm/rules/suricata/emerging-sql.rules.
2025-08-27 16:00:54,914 - - Writing /nsm/rules/suricata/emerging-ta_abused_services.rules.
2025-08-27 16:00:54,918 - - Writing /nsm/rules/suricata/emerging-telnet.rules.
2025-08-27 16:00:54,919 - - Writing /nsm/rules/suricata/emerging-tftp.rules.
2025-08-27 16:00:54,920 - - Writing /nsm/rules/suricata/emerging-user_agents.rules.
2025-08-27 16:00:54,931 - - Writing /nsm/rules/suricata/emerging-voip.rules.
2025-08-27 16:00:54,932 - - Writing /nsm/rules/suricata/emerging-web_client.rules.
2025-08-27 16:00:54,963 - - Writing /nsm/rules/suricata/emerging-web_server.rules.
2025-08-27 16:00:54,994 - - Writing /nsm/rules/suricata/emerging-web_specific_apps.rules.
2025-08-27 16:00:55,267 - - Writing /nsm/rules/suricata/emerging-worm.rules.
2025-08-27 16:00:55,269 - - Writing /nsm/rules/suricata/gpl-2.0.txt.
2025-08-27 16:00:55,269 - - Writing /nsm/rules/suricata/sid-msg.map.
2025-08-27 16:00:55,286 - - Writing /nsm/rules/suricata/suricata-7.0.3-enhanced-open.txt.
2025-08-27 16:00:55,286 - - Writing /nsm/rules/suricata/threatview_CS_c2.rules.
2025-08-27 16:00:55,287 - - Writing /nsm/rules/suricata/tor.rules.
2025-08-27 16:00:55,610 - - Recording file /nsm/rules/suricata/emerging-all.rules with hash '9aad82b063cb0b6c9b7b4fe39102464a'.
2025-08-27 16:00:58,946 - - Writing rules to /nsm/rules/suricata/emerging-all.rules: total: 60150; enabled: 44425; added: 0; removed 0; modified: 0
2025-08-27 16:00:59,403 - - Done.
2025-08-27 16:00:59,857 - - Loading ./rulecat.conf.
2025-08-27 16:00:59,859 - - Forcing Suricata version to 7.0.3.
2025-08-27 16:00:59,859 - - Fetching http://allium:7788/suricata/emerging-all.rules.
100% - 38847236/38847236
2025-08-27 16:01:00,198 - - Done.
2025-08-27 16:01:00,216 - - Loading local file /opt/so/rules/nids/suri/local.rules
2025-08-27 16:01:03,103 - - Loaded 60150 rules.
2025-08-27 16:01:03,155 - - Disabled 0 rules.
2025-08-27 16:01:03,155 - - Enabled 0 rules.
2025-08-27 16:01:03,155 - - Modified 0 rules.
2025-08-27 16:01:03,155 - - Dropped 0 rules.
2025-08-27 16:01:03,273 - - Enabled 0 rules for flowbit dependencies.
2025-08-27 16:01:07,067 - - Writing rule files to directory /nsm/rules/detect-suricata/custom_temp: total: 60150; enabled: 44425; added: 0; removed 0; modified: 0
2025-08-27 16:01:13,069 - - Writing rules to /opt/so/rules/nids/suri/all.rules: total: 60150; enabled: 44425; added: 0; removed 0; modified: 0
2025-08-27 16:01:13,525 - - Done.

[cm-ops]

Would you let me know what this shows? sudo so-index-list | grep so-detection

[Yehakin]

Thanks Chris for continued troubleshooting.

so-index-list | grep so-detection
returns no output.

so-index-list | grep -i detections
green open .ds-logs-detections.alerts-so-2025.08.22-000001 56p9o_KWSEq347q0rv8w_g 1 0 58 0 951.8kb 951.8kb 951.8kb

This is the full output

so-index-list

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size dataset.size
green open .ds-.fleet-actions-results-2025.05.17-000012 D13IzW1RTyWJ9b-axVpmbQ 1 1 1701 0 862.8kb 431.4kb 431.4kb
green open .ds-.fleet-actions-results-2025.06.16-000013 _RPGgkAYSYery2fpWBF0VA 1 1 2 0 20.6kb 10.3kb 10.3kb
green open .ds-.fleet-actions-results-2025.08.08-000016 OK3SQeG1RI2hJRl_nihMow 1 1 290 0 359.9kb 179.9kb 179.9kb
green open .ds-logs-detections.alerts-so-2025.08.22-000001 56p9o_KWSEq347q0rv8w_g 1 0 58 0 951.8kb 951.8kb 951.8kb
green open .ds-logs-elastic_agent-default-2025.08.22-000001 mr5RA7B3Th226FocElBeIQ 1 0 1237 0 830.6kb 830.6kb 830.6kb
green open .ds-logs-elastic_agent.filebeat-default-2025.08.22-000001 SF8Z0lljTROuydcWegGl6g 1 0 43723 0 59.8mb 59.8mb 59.8mb
green open .ds-logs-elastic_agent.fleet_server-default-2025.08.22-000001 YqZH8f1PRhWOLI-_7EtXLA 1 0 211912 0 37.5mb 37.5mb 37.5mb
green open .ds-logs-elastic_agent.osquerybeat-default-2025.08.22-000001 inHFoBidTK69zG1ZollUxA 1 0 236 0 654.7kb 654.7kb 654.7kb
green open .ds-logs-elasticsearch.server-default-2025.08.22-000001 gT_q7g7fToK0m1KfQ-pWbw 1 0 21848 0 5.4mb 5.4mb 5.4mb
green open .ds-logs-kratos-so-2025.08.22-000001 3F_l7_CMSu6WGMw-kl5H8w 1 0 72330 0 96.3mb 96.3mb 96.3mb
green open .ds-logs-soc-so-2025.08.22-000001 NDI4JVscSkKERlxx1x9b_w 1 0 957886 0 1gb 1gb 1gb
green open .ds-logs-strelka-so-2025.08.22-000001 SYR4CUkxSG-Z_GMsoGYc6A 1 0 619 0 5.7mb 5.7mb 5.7mb
green open .ds-logs-suricata.alerts-so-2025.08.22-000001 3LrJZ4AJSwOSWhN5-JHXDw 1 0 5216478 0 8.7gb 8.7gb 8.7gb
green open .ds-logs-system.auth-default-2025.08.22-000001 hWY7azeXRHKhMOoBUh3E6w 1 0 38467 0 60.6mb 60.6mb 60.6mb
green open .ds-logs-system.syslog-default-2025.08.22-000001 L6cklsl6QZSTghPjKO5rqQ 1 0 7986295 0 1.9gb 1.9gb 1.9gb
green open .ds-logs-zeek-so-2025.08.22-000001 VNa7IIzXScCv-H-zWjpwfA 2 0 75577633 0 100.1gb 100.1gb 100.1gb
green open .ds-logs-zeek-so-2025.08.25-000002 3WVrWpBYSnqlddv3tfQiTg 2 0 73437023 0 99.9gb 99.9gb 99.9gb
green open .ds-logs-zeek-so-2025.08.27-000003 jiXix5sEQAK7eki00ltOlg 2 0 69920046 0 99.9gb 99.9gb 99.9gb
green open .ds-logs-zeek-so-2025.08.30-000004 vc16HqZtRoeyZMcLJOjiNw 2 0 76703808 0 100gb 100gb 100gb
green open .ds-logs-zeek-so-2025.09.02-000005 hSOtbJNGRm22hI8E7URkcA 2 0 8400179 0 16.9gb 16.9gb 16.9gb
green open .ds-metrics-fleet_server.agent_status-default-2025.08.22-000001 m-xBmhZ5R0q9TZAvSR93Ww 1 0 17415 0 1.2mb 1.2mb 1.2mb
green open .ds-metrics-fleet_server.agent_versions-default-2025.08.22-000001 _8ngLxbAQXWhIx475Y7N4Q 1 0 87075 0 4.7mb 4.7mb 4.7mb
green open .internal.alerts-default.alerts-default-000001 dByufIP0SLqD6P32bRssww 1 1 0 0 500b 250b 250b
green open .internal.alerts-ml.anomaly-detection-health.alerts-default-000001 jVlYwVrdSt2NrR6wZ3P5rA 1 1 0 0 500b 250b 250b
green open .internal.alerts-ml.anomaly-detection.alerts-default-000001 m7Dl50OnTP-_RPWeVwOLRA 1 1 0 0 500b 250b 250b
green open .internal.alerts-observability.apm.alerts-default-000001 R_M6PWddQWyXoGfVvsKGNw 1 1 0 0 500b 250b 250b
green open .internal.alerts-observability.logs.alerts-default-000001 Z6x9h100TpSQyqOETO1AsA 1 1 0 0 500b 250b 250b
green open .internal.alerts-observability.metrics.alerts-default-000001 Sha70Js1RWuF5MTd5kkHQQ 1 1 0 0 500b 250b 250b
green open .internal.alerts-observability.slo.alerts-default-000001 fBCX52-ORA-5G3_9dEnU4Q 1 1 0 0 500b 250b 250b
green open .internal.alerts-observability.threshold.alerts-default-000001 a8n9IqbURXSa4ZLHkOUPCw 1 1 0 0 500b 250b 250b
green open .internal.alerts-observability.uptime.alerts-default-000001 I4_0SCLXT6erbSatpa9uIw 1 1 0 0 500b 250b 250b
green open .internal.alerts-security.alerts-default-000001 _04IJK-1QOu_gbyNDgT3aQ 1 1 0 0 500b 250b 250b
green open .internal.alerts-stack.alerts-default-000001 iHF9atFtSb2NgAgxTN_J3Q 1 1 0 0 500b 250b 250b
green open .internal.alerts-transform.health.alerts-default-000001 KzPiWtTvQ5aE8EDScSFcNw 1 1 0 0 500b 250b 250b
green open .kibana-observability-ai-assistant-conversations-000001 COCwSB5yTGuUeJZm1Pju3w 1 1 0 0 500b 250b 250b
green open .kibana-observability-ai-assistant-kb-000001 L7F0i4k1QYeuTaPmQbvfqA 1 1 0 0 500b 250b 250b
green open .logs-osquery_manager.action.responses-default pUgr0_6BT-63xJVQulZAsg 1 0 0 0 250b 250b 250b
green open .logs-osquery_manager.actions-default jv6GWzZgRde-eI4DU_vt1g 1 0 0 0 250b 250b 250b
green open elastalert P1hJ9ZYJThahVJq0grWEDw 1 0 58 0 1mb 1mb 1mb
green open elastalert_error Q52_gY8LSxWZ34iU7gJOCg 1 0 160923 0 147.6mb 147.6mb 147.6mb
green open elastalert_past ICy4ITNRQAmngnRgingp-g 1 0 0 0 249b 249b 249b
green open elastalert_silence mes0un0RQM2KAC8OYQhuVg 1 0 0 0 249b 249b 249b
green open elastalert_status 12RoI4YtSma78levHownQA 1 0 396243 0 75.2mb 75.2mb 75.2mb

[Yehakin]

I added missing indices: so-detection and so-detectionhistory

so-index-list | grep -i detection
green open .internal.alerts-ml.anomaly-detection-health.alerts-default-000001 jVlYwVrdSt2NrR6wZ3P5rA 1 1 0 0 500b 250b 250b
green open .internal.alerts-ml.anomaly-detection.alerts-default-000001 m7Dl50OnTP-_RPWeVwOLRA 1 1 0 0 500b 250b 250b
green open so-detection vI5eS3t1R1WHpFKxhZujZg 1 1 0 0 498b 249b 249b
green open so-detectionhistory W1aLOWKuQiWNcnSifruD2g 1 1 0 0 498b 249b 249b

In Kibana I see the below error. Do I need to populate a field? and with what?

Lifecycle error:
{
"failed_step": "check-rollover-ready",
"step_info": {
"type": "illegal_argument_exception",
"reason": "setting [index.lifecycle.rollover_alias] for index [so-detection] is empty or not defined"
}
}

Current phase definition:
{
"policy": "so-detection-logs",
"phase_definition": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_age": "30d",
"min_docs": 1,
"max_primary_shard_docs": 200000000
}
}
},
"version": 5,
"modified_date_in_millis": 1756478847345
}

"lifecycle": {
"parse_origination_date": "false",
"prefer_ilm": "true",
"step": {
"wait_time_threshold": "12h"
},
"indexing_complete": "false",
"rollover_alias": "",
"origination_date": "-1"
},

[cm-ops]

Doesn't look the rules have made it to the index. Did you just run a PUT to create the index?

Try this, remove both so-detection, so-detectionhistory indices.

If there are these files in /opt/so/conf/soc/fingerprint/ elastalertengine.state emerging-all.fingerprint sigma.fingerprint sigma.pipelines.fingerprint strelkaengine.state suricataengine.state remove them.

Restart SOC with sudo so-soc-restart and once it restarts check the log at /opt/so/log/soc/sensoroni-server.log to verify the rules are being imported. The indices should be recreated as well.