Suricata rules disappear after so-rule-update

[netsecninja]

2.3.2 Standalone environment. I just disabled a single rule ID number using the same method I had done several times in the past couple of weeks:

1. Add the SID to /opt/so/saltstack/local/pillar/minions/securityonion_standalone.sls, under idstools > sids > disabled.
2. Run sudo salt securityonion_standalone state.apply idstools
3. Run sudo so-rule-update

Except this time, all of the rules except the ones I had previously added to local.rules were removed.

$ sudo so-rule-update 
2020-11-10 20:18:29,373 - <INFO> - Loading ./rulecat.conf.
2020-11-10 20:18:29,376 - <INFO> - Forcing Suricata version to 5.0.
2020-11-10 20:18:29,377 - <INFO> - Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz.
2020-11-10 20:18:29,379 - <INFO> - Loading local file /opt/so/rules/nids/local.rules
2020-11-10 20:18:29,379 - <INFO> - Loaded 3 rules.
2020-11-10 20:18:29,380 - <INFO> - Disabled 0 rules.
2020-11-10 20:18:29,380 - <INFO> - Enabled 0 rules.
2020-11-10 20:18:29,380 - <INFO> - Modified 0 rules.
2020-11-10 20:18:29,380 - <INFO> - Dropped 0 rules.
2020-11-10 20:18:29,380 - <INFO> - Enabled 0 rules for flowbit dependencies.
2020-11-10 20:18:31,064 - <INFO> - Writing rules to /opt/so/rules/nids/all.rules: total: 3; enabled: 3; added: 0; removed 27978; modified: 0
2020-11-10 20:18:31,157 - <INFO> - Done.

I get the limit on not downloading the ET ruleset, but why is so-rule-update not reading from my cache? Currently, my /opt/so/rules/nids/all.rules only lists the three rules I had previously tuned in /opt/so/saltstack/local/salt/idstools/local.rules, nothing else.

[weslambert]

I imagine the temp file it uses for the downloaded rules is null at that point, so there is nothing to merge with the other rules. If you wait 15 mins then try (and successfully download rules), does it behave as desired?

[netsecninja]

I re-ran so-rule-update some time after that 15 minute window and it worked as expected. Can I assume the emptiness of the temp rule file is not expected though? This does create a 15+ minute gap of coverage which for large deployments would be a problem.

[weslambert]

Correct, the empty temp file is not ideal, and we may have some changes we can make with regard to 15 minute limitation. If run interactively, we should be able to override the limitation to get the rules we need immediately. I could see this being applied more to a non-interactive use case. I'd have to look into it more.