Incorrect synchronization of suricata rules

[Cantondy]

Hello,

I use Security onion in distributed architecture.
When creating custom rules for Suricata, there are strange errors synchronizing the created rules.

Let me explain:

• If I delete a rule, it remains active and continues to generate alerts (first alert on the image below).
• If I modify a rule, I end up with 2 rules with the same ID but not the same configuration (1st and 2nd alert on the image below).

I create the alerts via the GUI in the “Detection” tab, then perform a “differentiale update” to synchronize the rules.

What am I doing wrong? I don't understand this behavior and it's hell to test and debug custom rules.

Thanks in advance for all your answers!

[dougburks]

What version of Security Onion are you running?

[Cantondy]

Hello,

I'm on version 2.4.110 in distributed deployment.

I solved the rule duplication problem with the same ID by manually deleting one of the 2 rules in the “/opt/so/rules/nids/suri/local.rules” file.

It seems that this deletion via the GUI was not possible and required a manual deletion directly in the file.

[dougburks]

It seems that this deletion via the GUI was not possible and required a manual deletion directly in the file.

I just tested on 2.4.110 as follows and deletion via GUI works for me:

• add a custom rule and enable it via Detections
• wait for or force the soc and idstools states to run again and the Suricata engine sync
• verify that the custom rule alerts properly
• delete the custom rule via Detections
• wait for or force the soc and idstools states to run again and the Suricata engine sync
• verify that the custom rule no longer alerts

Please try this and see if it works for you.

From https://docs.securityonion.net/en/2.4/detections.html#ruleset-changes:

[Cantondy]

Hello,

It does work when I force the restart of ids tool on the manager (sudo so-idstools-restart) and of suricata on the sensors (sudo so-suricata-restart).

Thanks for your help