Can't activate custom rules

[Cantondy]

Hello,
I use security onion in distributed architecture (one manager, one search, two forward node).

I'm creating custom rules with Suricata to generate alerts.
I don't understand how long it takes for them to be activated and whether I'm creating these rules in the right way.

Here are the steps I take to apply a custom Suricata rule:

1. Create the custom rule in the GUI (detection tab --> create a suricata rule)
2. Activate the rule
3. Perform a differential update for suricata to synchronize the rule on forward nodes

After creating the rule, I constantly have a “Rules mismatch” displayed in the Detection tab for Suricata.
I also don't understand how long it takes for a rule to activate on a forward node. Sometimes the rule takes more than 10 minutes to activate (and generates an alert), sometimes more than an hour.

Am I missing a step in the creation of a rule? Is there another option for synchronizing a rule directly with forward nodes? Or is it normal for a rule to take more than 10-15 minutes to activate?

Thanks in advance for your answers

[InfosecGoon]

If you need to force a new rule into production as quickly as possible:

1. Create and enable the rule in Detections.
2. Run "sudo so-idstools-restart" on your Manager.
3. Run "sudo so-suricata-restart" on your Forward Nodes.

[techno-cat-1976]

Hello !

I use Security Onion 2.4.110 Standalone and have a problems with Suricata custom rules. Sometimes rule start to work immediately, sometimes after hour or more and sometimes didn't work at all. I try to sudo so-idstools-restart.
The command completes without any errors, but, after that all custom Suricata rules stop working complete.
Security Onion server was restarted several times, but with no luck.
No any erros in Security onion logs, just messages, that Suricata custom rules loaded successfully and all custom rules present in /opt/so/rules/nids/suri/local.rules file.
All custom Suricata rules was deleted and recreated, but again, with no luck.
So, i thing the only one solution is reinstall Security Onion from scratch.

Any help will be appreciated.

Thanks in advance.

[Cantondy]

Hello,

thank you for your reply

After several tests, here's the procedure I use to check that a custom rule is active on forward nodes:

1. Create the custom rule via the “Detection” tab
2. On the manager node, do a so-rule-update and check that the rule is up to date in "/opt/so/rules/nids/suri/local.rules" (it may take ~5-8 minutes for the rule to be updated on the manager).
3. Once the rule is up to date on the manager, issue the sudo so-suricata-restart command on the forward nodes and check that the rules are up to date in “opt/so/conf/suricata/rules/local.rules” (the rule update is almost instantaneous after the “so-suricata-restart” command).

Thanks for your answers!