search

Security-Onion-Solutions / securityonion

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
https://securityonion.net
3.32k stars 515 forks source link

SO 2.4.70 Suricata Rule Mismatch #13120

Closed fcblank closed 6 months ago

fcblank commented 6 months ago

Discussed in https://github.com/Security-Onion-Solutions/securityonion/discussions/13109

Originally posted by **geistchevalier** May 31, 2024 ### Version 2.4.70 ### Installation Method Security Onion ISO image ### Description configuration ### Installation Type Standalone ### Location on-prem with Internet access ### Hardware Specs Meets minimum requirements ### CPU 6 ### RAM 64GB ### Storage for / 500GB ### Storage for /nsm 2TB ### Network Traffic Collection tap ### Network Traffic Speeds 1Gbps to 10Gbps ### Status Yes, all services on all nodes are running OK ### Salt Status No, there are no failures ### Logs Yes, there are additional clues in /opt/so/log/ (please provide detail below) ### Detail Hi, I just upgraded to 2.4.70 from 2.4.60 and I am encountering the `Suricata: Rule Mismatch` warning aside from that `sudo so-status` returns all green and `sudo salt-call state.highstate` does not get any failures ``` Summary for local -------------- Succeeded: 829 (changed=35) Failed: 0 -------------- Total states run: 829 Total run time: 72.169 s ``` Looking at the docs `https://docs.securityonion.net/en/latest/detections.html#rule-engine-status`, I checked if I had any custom rule in the following files: ``` /opt/so/saltstack/local/salt/idstools/rules/local.rules /opt/so/saltstack/local/salt/suricata/rules/local.rules ``` but the files are empty I checked the log at `/opt/so/log/soc/detections_runtime-status_sigma.log` and found a lot errors like the following that are either `unknown` or `syntax error` ``` {"_timestamp":"2024-05-31T00:08:17.138087Z","rule.name":"Potential PsExec Remote Execution - 3c28ba104","error_type":"runtime_status","error_message":"Error running query: RequestError(400, 'parsing_exception', 'line 1:107: token recognition error at: \\'\"* \\\\\\\\\\\\\\\\\\\\*\\'')","detection_type":"sigma","event_module":"soc","event_dataset":"soc.detections","error_analysis":"Syntax Error"} {"_timestamp":"2024-05-31T00:08:18.524723Z","rule.name":"Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock - fa7773519","error_type":"runtime_status","error_message":"Error running query: RequestError(400, 'planning_exception', 'Found 4 problems\\nline 1:36: Unresolved expression\\nline 1:36: Unresolved expression\\nline 1:36: Unresolved expression\\nline 1:36: Unresolved expression')","detection_type":"sig> {"_timestamp":"2024-05-31T00:08:18.803775Z","rule.name":"Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module - ddfe9c955","error_type":"runtime_status","error_message":"Error running query: RequestError(400, 'verification_exception', 'Found 1 problem\\nline 1:131: Unknown column [winlog.event_data.Payload]')","detection_type":"sigma","event_module":"soc","event_dataset":"soc.detections","error_analysis":"Unknown"} {"_timestamp":"2024-05-31T00:08:18.924058Z","rule.name":"Potential Ursnif Malware Activity - Registry - 4ee5f679e","error_type":"runtime_status","error_message":"Error running query: RequestError(400, 'verification_exception', 'Found 1 problem\\nline 1:354: Unknown column [winlog.event_data.EventType]')","detection_type":"sigma","event_module":"soc","event_dataset":"soc.detections","error_analysis":"Unknown"} {"_timestamp":"2024-05-31T00:08:18.979953Z","rule.name":"Credential Dumping Attempt Via WerFault - 807c96d8e","error_type":"runtime_status","error_message":"Error running query: RequestError(400, 'verification_exception', 'Found 2 problems\\nline 1:55: Unknown column [winlog.event_data.GrantedAccess]\\nline 1:104: Unknown column [winlog.event_data.TargetImage]')","detection_type":"sigma","event_module":"soc","event_dataset":"> {"_timestamp":"2024-05-31T00:08:19.014258Z","rule.name":"Suspicious Cobalt Strike DNS Beaconing - DNS Client - cffdc214a","error_type":"runtime_status","error_message":"Error running query: RequestError(400, 'verification_exception', 'Found 1 problem\\nline 1:130: Unknown column [winlog_channel]')","detection_type":"sigma","event_module":"soc","event_dataset":"soc.detections","error_analysis":"Unknown"} {"_timestamp":"2024-05-31T00:08:19.391333Z","rule.name":"CobaltStrike Named Pipe Pattern Regex -- 0e7163d4-9e19-4fa7-9be6-000c61aad77a","error_type":"runtime_status","error_message":"Error running query: RequestError(400, 'parsing_exception', 'line 1:28: token recognition error at: \\'\"\\\\\\\\mojo\\\\.\\'')","detection_type":"sigma","event_module":"soc","event_dataset":"soc.detections","error_analysis":"Syntax Error"} {"_timestamp":"2024-05-31T00:08:19.483207Z","rule.name":"MSSQL Server Failed Logon From External Network - ec52fee92","error_type":"runtime_status","error_message":"Error running query: RequestError(400, 'verification_exception', 'Found 1 problem\\nline 1:19: Unknown column [Data]')","detection_type":"sigma","event_module":"soc","event_dataset":"soc.detections","error_analysis":"Unknown"} {"_timestamp":"2024-05-31T00:08:19.501873Z","rule.name":"Potential Privilege Escalation To LOCAL SYSTEM - c423f9b1b","error_type":"runtime_status","error_message":"Error running query: RequestError(400, 'x_content_parse_exception', '[eql] query malformed, no start_object after query name')","detection_type":"sigma","event_module":"soc","event_dataset":"soc.detections","error_analysis":"Unknown"} ``` Is there anyway for me to remedy this situation? Is there any other location I can check to delete custom rules for suricata? Is there a way to reset and disable all the suricata rules so I can start fresh? ### Guidelines - [X] I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
fcblank commented 6 months ago

Same issue here. Upgraded from 2.4.60 to 2.4.70. Everything worked perfectly up until I duplicated an ET rule in the 'Detections' application. Soon after I got the red exclamation sign on the detection tab. Here is the message of the filtered log: {"fields":{"deployedButNotEnabled":[],"detectionEngine":"elastalert","enabledButNotDeployed":[],"intCheckId":"ab26bd40-758e-4b88-a629-307cb073a0e5"},"level":"info","timestamp":"2024-06-01T10:15:24.358843948Z","message":"integrity check report"}

TOoSmOotH commented 6 months ago

Please start your own discussion.