Add in detections a pre-filter that selects all rules that are not ok

[sleepingbel]

Can you in SO 2.4 make a detection dashboard pre-filter that filter out all the rules that have sync issues?

if you go to the hunt dashboard you find the "intCheckId" but this is not the rule ID, how do you find the ruleid of rules with a sync issue

regards Bart

[defensivedepth]

The Integrity Check Report log will look something like this (if the integrity check failed):

{"fields":{"deployedButNotEnabled":[],"detectionEngine":"suricata","enabledButNotDeployed":["2520021","2403353","2520008","2522408","2522420","2522504","2403314","2522332","2520043","2522490","2522219","2403392","2520077","2403320","2520013","2522070","2522769","2522444","2522166","2520018","2522503","2522336","2522435","2522527016"],"intCheckId":"cea66880-d7b4-4891-bed8-18b6fa2514a3"},"level":"info","timestamp":"2024-06-28T20:00:52.057751316Z","message":"integrity check report"}

The ids in enabledButNotDeployed are the SIDs of the rules. You can use this to start troubleshooting what is going on.

[sleepingbel]

Hello Josh,

I have found 25 rules in this field over a period of 60 days and none of these rules have tweaks, when i disabled these rules status wass still " Rule Mismatch"

I do not have local rules

this was the filter that i used for filtering rules

so_detection.language: "suricata" AND so_detection.publicId:("2522781" OR "2522786" OR "2522787" OR "2520109" OR "2522785" OR "2520110" OR "2525010" OR "2525011" OR "2522784"
 OR "2522783" OR "2053804" OR "2522782" OR "2053807" OR "2522788" OR "2522791" OR "2520113" OR "2522790" OR "2520112" OR "2522789" OR "2520111" OR "2522793" OR "2049413" 
OR "2049412" OR "2522792" OR "2522794")

This was the filter that I used for the sec logs

tags:so-soc AND suricata AND event.action:"integrity check report" | groupby log.level | groupby event.action | groupby soc.fields.error | table soc_timestamp soc.fields.enabledButNotDeployed soc.fields.deployedButNotEnabled

[sleepingbel]

The newest log is the first and it goes from 20/06/24 to 27/06/24

In total there are 11 logs where there are 25 unique values ​​in the field "enabledButNotDeployed". I have tried to disable all these rules, but this do not change the status of the sync.

I assume that the values ​​used in the field "enabledButNotDeployed" are retrieved in the field "so_detection.publicId", is this correct?

Two of the rules can not be found:

• 2525011
• 2520113

Firts log

{"fields":{"deployedButNotEnabled":[],"detectionEngine":"suricata","enabledButNotDeployed":["2522794","2522793","2522792"],"intCheckId":"556afb16-cbed-4b79-9908-54c73bdc2ce4"},"level":"info","timestamp":"2024-06-20T07:05:22.342569748Z","message":"integrity check report"}

Second Log

{"fields":{"deployedButNotEnabled":["2053745","2053746","2525011","2053748","2053747"],"detectionEngine":"suricata","enabledButNotDeployed":["2522793","2049413","2049412","2522792","2522794"],"intCheckId":"507e7cef-0037-451a-8a3a-e7a2939ab180"},"level":"info","timestamp":"2024-06-20T07:04:01.730060461Z","message":"integrity check report"}

Third Log

{"fields":{"deployedButNotEnabled":[],"detectionEngine":"suricata","enabledButNotDeployed":["2522791","2520112","2522788","2520113","2520111","2522790","2522789"],"intCheckId":"8b9c9b44-bb85-4064-8434-9b8c92362c49"},"level":"info","timestamp":"2024-06-24T07:08:47.143781413Z","message":"integrity check report"}

fourth log

{"fields":{"deployedButNotEnabled":[],"detectionEngine":"suricata","enabledButNotDeployed":["2522788","2522791","2520113","2522790","2520112","2522789","2520111"],"intCheckId":"74b89ca0-b7ab-4102-8d1e-2245304c33b9"},"level":"info","timestamp":"2024-06-24T07:01:19.728840836Z","message":"integrity check report"}

fifth log

{"fields":{"deployedButNotEnabled":[],"detectionEngine":"suricata","enabledButNotDeployed":["2522788","2522791","2520113","2522790","2520112","2522789","2520111"],"intCheckId":"74b89ca0-b7ab-4102-8d1e-2245304c33b9"},"level":"info","timestamp":"2024-06-24T07:01:19.728840836Z","message":"integrity check report"}

sixth log

{"fields":{"deployedButNotEnabled":[],"detectionEngine":"suricata","enabledButNotDeployed":["2522782","2522783","2522784"],"intCheckId":"46d780c0-2da2-45ed-bddc-0284a342ad5c"},"level":"info","timestamp":"2024-06-26T07:11:53.38026879Z","message":"integrity check report"}

seventh log

{"fields":{"deployedButNotEnabled":["2053866","2053849","2053864","2053856","2053880","2053876","2525012","2053882","2525011","2053851","2053868","2053875","2053873","2053850","2053861","2053869","2525010","2053857","2053863","2053878","2053881","2053877","2520109","2053860","2053854","2053852","2053867","2053865","2053855","2053862","2053859","2053870","2053858","2053884","2053874","2053871","2053853","2053883","2053872","2053879"],"detectionEngine":"suricata","enabledButNotDeployed":["2522784","2522783","2053804","2522782","2053807"],"intCheckId":"577173b7-e3ee-4b2f-9ebc-fb66aa6df547"},"level":"info","timestamp":"2024-06-26T07:10:20.073796313Z","message":"integrity check report"}

eighth log

{"fields":{"deployedButNotEnabled":[],"detectionEngine":"suricata","enabledButNotDeployed":["2522785","2522787","2520109","2525011","2525010","2520110","2522786"],"intCheckId":"d51420c3-b52a-4abb-a03e-60fde33caf30"},"level":"info","timestamp":"2024-06-25T07:07:51.099685646Z","message":"integrity check report"}

ninth log

{"fields":{"deployedButNotEnabled":["2053801","2053829","2053825","2053804","2053818","2053827","2053841","2053833","2053808","2053830","2053821","2053814","2053815","2053802","2053817","2053811","2053836","2053806","2053838","2053805","2053843","2053845","2053803","2053832","2053816","2053842","2053822","2053813","2053844","2053835","2053810","2053834","2053812","2053824","2053846","2053807","2053839","2053820","2053819","2053840","2053823","2053828","2053848","2053826","2053831","2053847","2053809","2053837"],"detectionEngine":"suricata","enabledButNotDeployed":["2522786","2522787","2520109","2522785","2520110","2525010","2525011"],"intCheckId":"1e375132-cf5a-43b4-afcb-e26ac1d52442"},"level":"info","timestamp":"2024-06-25T07:05:55.006829399Z","message":"integrity check report"}

tenth log

{"fields":{"deployedButNotEnabled":[],"detectionEngine":"suricata","enabledButNotDeployed":["2522781"],"intCheckId":"754cf04e-60ec-4716-b0c2-7bf437f3777f"},"level":"info","timestamp":"2024-06-27T07:06:29.689091689Z","message":"integrity check report"}

[defensivedepth]

Please post the output from:

sudo salt-call pillar.get idstools

[sleepingbel]

I did not find those two ID's
`
[INFO ] Creating module dir '/var/cache/salt/minion/extmods/grains'
[INFO ] Syncing grains for environment 'base'
[INFO ] Loading cache from salt://_grains, for base
[INFO ] Caching directory '_grains/' for environment 'base'
local:
----------
enabled:
True
sids:
----------
disabled:
- re:DNS Query
- 2035466
- 2033078
- 2021701
- 2035463
- 2028651
- 2036220
- 2035465
- 2031071
- 2025275
- 2035464
- 2016150
- 2016149
- 2027390
- 2525010
- 2053804
- 2053807
- 2049412
- 2049413
enabled:
- 2033077
- 2010645
- 2053841
- 2053836
- 2053838
- 2520110
- 2520109
- 2522786
- 2522787
- 2522785
- 2522781
- 2053839
- 2053819
- 2053835
- 2053834
- 2053846
- 2053810
- 2053812
- 2053828
- 2053824
- 2053844
- 2053823
- 2053840
- 2053820
- 2053848
- 2053831
- 2053826
- 2053847
- 2053809
- 2053837
- 2053801
- 2053802
- 2053803
- 2053805
- 2053806
- 2053808
- 2053825
- 2053827
- 2053829
- 2053832
- 2053833
- 2053811
- 2053814
- 2053816
- 2053818
- 2053821
- 2053845
- 2053830
- 2053842
- 2053822
- 2053815
- 2053813
- 2053817
- 2053843
- 2522782
- 2522783
- 2522784
- 2522789
- 2522790
- 2522788
- 2522791
- 2520111
- 2522793
- 2522792
- 2522794
- 2025709
- 2034817
- 2025726
modify:
- 2024699 "flowbits" "noalert; flowbits"
- 2025303 "flowbits" "noalert; flowbits"
- 2024693 "flowbits" "noalert; flowbits"
- 2010500 "flowbits" "noalert; flowbits"
- 2010501 "flowbits" "noalert; flowbits"
- 2018050 "flowbits" "noalert; flowbits"
- 2007717 "flowbits" "noalert; flowbits"
- 2007723 "flowbits" "noalert; flowbits"
- 2007715 "flowbits" "noalert; flowbits"
- 2003031 "flowbits" "noalert; flowbits"
- 2003032 "flowbits" "noalert; flowbits"
- 2012622 "flowbits" "noalert; flowbits"
- 2015812 "flowbits" "noalert; flowbits"
- 2015867 "flowbits" "noalert; flowbits"
- 2015866 "flowbits" "noalert; flowbits"
- 2015876 "flowbits" "noalert; flowbits"
- 2017246 "flowbits" "noalert; flowbits"
- 2017789 "flowbits" "noalert; flowbits"
- 2018356 "flowbits" "noalert; flowbits"
- 2020993 "flowbits" "noalert; flowbits"
- 2014983 "flowbits" "noalert; flowbits"
- 2026461 "flowbits" "noalert; flowbits"
- 2018355 "flowbits" "noalert; flowbits"
- 2019343 "flowbits" "noalert; flowbits"
- 2026462 "flowbits" "noalert; flowbits"
- 2034095 "flowbits" "noalert; flowbits"
- 2034096 "flowbits" "noalert; flowbits"
- 2001873 "flowbits" "noalert; flowbits"
- 2001874 "flowbits" "noalert; flowbits"
- 2003196 "flowbits" "noalert; flowbits"
- 2003197 "flowbits" "noalert; flowbits"
- 2002912 "flowbits" "noalert; flowbits"
- 2002913 "flowbits" "noalert; flowbits"
- 2002914 "flowbits" "noalert; flowbits"
- 2002918 "flowbits" "noalert; flowbits"
- 2002924 "flowbits" "noalert; flowbits"
- 2002923 "flowbits" "noalert; flowbits"
- 2002919 "flowbits" "noalert; flowbits"
- 2002915 "flowbits" "noalert; flowbits"
- 2002916 "flowbits" "noalert; flowbits"
- 2002917 "flowbits" "noalert; flowbits"
- 2002921 "flowbits" "noalert; flowbits"
- 2002181 "flowbits" "noalert; flowbits"
- 2002182 "flowbits" "noalert; flowbits"
- 2011502 "flowbits" "noalert; flowbits"
- 2011242 "flowbits" "noalert; flowbits"
- 2018408 "flowbits" "noalert; flowbits"
- 2018410 "flowbits" "noalert; flowbits"
- 2011503 "flowbits" "noalert; flowbits"
- 2013484 "flowbits" "noalert; flowbits"
- 2013485 "flowbits" "noalert; flowbits"
- 2023896 "flowbits" "noalert; flowbits"
- 2023897 "flowbits" "noalert; flowbits"
- 2011241 "flowbits" "noalert; flowbits"
- 2018031 "flowbits" "noalert; flowbits"
- 2030889 "flowbits" "noalert; flowbits"
- 2017568 "flowbits" "noalert; flowbits"
- 2017557 "flowbits" "noalert; flowbits"
- 2014646 "flowbits" "noalert; flowbits"
- 2014645 "flowbits" "noalert; flowbits"
- 2048739 "flowbits" "noalert; flowbits"
- 2048740 "flowbits" "noalert; flowbits"
- 2048741 "flowbits" "noalert; flowbits"
- 2048742 "flowbits" "noalert; flowbits"
- 2048737 "flowbits" "noalert; flowbits"
- 2048738 "flowbits" "noalert; flowbits"
- 2019752 "flowbits" "noalert; flowbits"
- 2053705 "flowbits" "noalert; flowbits"
- 2053706 "flowbits" "noalert; flowbits"
- 2014922 "flowbits" "noalert; flowbits"
- 2014923 "flowbits" "noalert; flowbits"
- 2014036 "flowbits" "noalert; flowbits"
- 2015849 "flowbits" "noalert; flowbits"
- 2016737 "flowbits" "noalert; flowbits"
- 2016831 "flowbits" "noalert; flowbits"
- 2015575 "flowbits" "noalert; flowbits"
- 2016785 "flowbits" "noalert; flowbits"
- 2016945 "flowbits" "noalert; flowbits"
- 2017328 "flowbits" "noalert; flowbits"
- 2017756 "flowbits" "noalert; flowbits"
- 2017757 "flowbits" "noalert; flowbits"
- 2017758 "flowbits" "noalert; flowbits"
- 2017759 "flowbits" "noalert; flowbits"
- 2018923 "flowbits" "noalert; flowbits"
- 2018924 "flowbits" "noalert; flowbits"
- 2020429 "flowbits" "noalert; flowbits"
- 2014099 "flowbits" "noalert; flowbits"
- 2022112 "flowbits" "noalert; flowbits"
- 2022193 "flowbits" "noalert; flowbits"
- 2017649 "flowbits" "noalert; flowbits"
- 2017648 "flowbits" "noalert; flowbits"
- 2016371 "flowbits" "noalert; flowbits"
- 2022464 "flowbits" "noalert; flowbits"
- 2025038 "flowbits" "noalert; flowbits"
- 2025039 "flowbits" "noalert; flowbits"
- 2016805 "flowbits" "noalert; flowbits"
- 2016924 "flowbits" "noalert; flowbits"
- 2017151 "flowbits" "noalert; flowbits"
- 2016798 "flowbits" "noalert; flowbits"
- 2018360 "flowbits" "noalert; flowbits"
- 2018361 "flowbits" "noalert; flowbits"
- 2019209 "flowbits" "noalert; flowbits"
- 2019358 "flowbits" "noalert; flowbits"
- 2021045 "flowbits" "noalert; flowbits"
- 2021137 "flowbits" "noalert; flowbits"
- 2022090 "flowbits" "noalert; flowbits"
- 2016923 "flowbits" "noalert; flowbits"
- 2024605 "flowbits" "noalert; flowbits"
- 2023277 "flowbits" "noalert; flowbits"
- 2023278 "flowbits" "noalert; flowbits"
- 2023280 "flowbits" "noalert; flowbits"
- 2023281 "flowbits" "noalert; flowbits"
- 2023283 "flowbits" "noalert; flowbits"
- 2023284 "flowbits" "noalert; flowbits"
- 2023285 "flowbits" "noalert; flowbits"
- 2023271 "flowbits" "noalert; flowbits"
- 2023272 "flowbits" "noalert; flowbits"
- 2023274 "flowbits" "noalert; flowbits"
- 2024612 "flowbits" "noalert; flowbits"
- 2018362 "flowbits" "noalert; flowbits"
- 2019765 "flowbits" "noalert; flowbits"
- 2019872 "flowbits" "noalert; flowbits"
- 2019844 "flowbits" "noalert; flowbits"
- 2019845 "flowbits" "noalert; flowbits"
- 2019846 "flowbits" "noalert; flowbits"
- 2019873 "flowbits" "noalert; flowbits"
- 2020994 "flowbits" "noalert; flowbits"
- 2021640 "flowbits" "noalert; flowbits"
- 2017706 "flowbits" "noalert; flowbits"
- 2019544 "flowbits" "noalert; flowbits"
- 2022771 "flowbits" "noalert; flowbits"
- 2023270 "flowbits" "noalert; flowbits"
- 2016787 "flowbits" "noalert; flowbits"
- 2019210 "flowbits" "noalert; flowbits"
- 2019359 "flowbits" "noalert; flowbits"
- 2019676 "flowbits" "noalert; flowbits"
- 2020317 "flowbits" "noalert; flowbits"
- 2020312 "flowbits" "noalert; flowbits"
- 2019917 "flowbits" "noalert; flowbits"
- 2021042 "flowbits" "noalert; flowbits"
- 2021620 "flowbits" "noalert; flowbits"
- 2020311 "flowbits" "noalert; flowbits"
- 2022465 "flowbits" "noalert; flowbits"
- 2021044 "flowbits" "noalert; flowbits"
- 2021043 "flowbits" "noalert; flowbits"
- 2018545 "flowbits" "noalert; flowbits"
- 2023480 "flowbits" "noalert; flowbits"
- 2022770 "flowbits" "noalert; flowbits"
- 2010732 "flowbits" "noalert; flowbits"
- 2010733 "flowbits" "noalert; flowbits"
- 2010734 "flowbits" "noalert; flowbits"
- 2010735 "flowbits" "noalert; flowbits"
- 2010736 "flowbits" "noalert; flowbits"
- 2010737 "flowbits" "noalert; flowbits"
- 2010738 "flowbits" "noalert; flowbits"
- 2010739 "flowbits" "noalert; flowbits"
- 2010740 "flowbits" "noalert; flowbits"
- 2002851 "flowbits" "noalert; flowbits"
- 2010731 "flowbits" "noalert; flowbits"
- 2002850 "flowbits" "noalert; flowbits"
- 2023017 "flowbits" "noalert; flowbits"
- 2023018 "flowbits" "noalert; flowbits"
- 2029424 "flowbits" "noalert; flowbits"
- 2029425 "flowbits" "noalert; flowbits"
- 2044538 "flowbits" "noalert; flowbits"
- 2044539 "flowbits" "noalert; flowbits"
- 2054406 "flowbits" "noalert; flowbits"
- 2016404 "flowbits" "noalert; flowbits"
- 2016646 "flowbits" "noalert; flowbits"
- 2016648 "flowbits" "noalert; flowbits"
- 2016651 "flowbits" "noalert; flowbits"
- 2016652 "flowbits" "noalert; flowbits"
- 2016653 "flowbits" "noalert; flowbits"
- 2025985 "flowbits" "noalert; flowbits"
- 2034094 "flowbits" "noalert; flowbits"
- 2034212 "flowbits" "noalert; flowbits"
- 2020888 "flowbits" "noalert; flowbits"
- 2016650 "flowbits" "noalert; flowbits"
- 2016647 "flowbits" "noalert; flowbits"
- 2016649 "flowbits" "noalert; flowbits"
- 2022996 "flowbits" "noalert; flowbits"
- 2036219 "flowbits" "noalert; flowbits"
- 2014954 "flowbits" "noalert; flowbits"
- 2025986 "flowbits" "noalert; flowbits"
- 2023715 "flowbits" "noalert; flowbits"
- 2023900 "flowbits" "noalert; flowbits"
- 2023713 "flowbits" "noalert; flowbits"
- 2022055 "flowbits" "noalert; flowbits"
- 2023892 "flowbits" "noalert; flowbits"
- 2025411 "flowbits" "noalert; flowbits"
- 2054242 "flowbits" "noalert; flowbits"
- 2054243 "flowbits" "noalert; flowbits"
- 2054405 "flowbits" "noalert; flowbits"
- 2030366 "flowbits" "noalert; flowbits"
- 2030367 "flowbits" "noalert; flowbits"
- 2009172 "flowbits" "noalert; flowbits"
- 2010695 "flowbits" "noalert; flowbits"
- 2010696 "flowbits" "noalert; flowbits"
- 2002974 "flowbits" "noalert; flowbits"
- 2002975 "flowbits" "noalert; flowbits"
- 2003549 "flowbits" "noalert; flowbits"
- 2003550 "flowbits" "noalert; flowbits"
- 2003551 "flowbits" "noalert; flowbits"
- 2003552 "flowbits" "noalert; flowbits"
- 2003553 "flowbits" "noalert; flowbits"
- 2003554 "flowbits" "noalert; flowbits"
- 2003556 "flowbits" "noalert; flowbits"
- 2003557 "flowbits" "noalert; flowbits"
- 2003558 "flowbits" "noalert; flowbits"
- 2003559 "flowbits" "noalert; flowbits"
- 2003560 "flowbits" "noalert; flowbits"
- 2003561 "flowbits" "noalert; flowbits"
- 2003562 "flowbits" "noalert; flowbits"
- 2003565 "flowbits" "noalert; flowbits"
- 2003563 "flowbits" "noalert; flowbits"
- 2003564 "flowbits" "noalert; flowbits"
- 2008320 "flowbits" "noalert; flowbits"
- 2008178 "flowbits" "noalert; flowbits"
- 2008805 "flowbits" "noalert; flowbits"
- 2008806 "flowbits" "noalert; flowbits"
- 2010152 "flowbits" "noalert; flowbits"
- 2010647 "flowbits" "noalert; flowbits"
- 2010648 "flowbits" "noalert; flowbits"
- 2010649 "flowbits" "noalert; flowbits"
- 2010650 "flowbits" "noalert; flowbits"
- 2010651 "flowbits" "noalert; flowbits"
- 2009238 "flowbits" "noalert; flowbits"
- 2009239 "flowbits" "noalert; flowbits"
- 2007751 "flowbits" "noalert; flowbits"
- 2006398 "flowbits" "noalert; flowbits"
- 2006399 "flowbits" "noalert; flowbits"
- 2009025 "flowbits" "noalert; flowbits"
- 2010101 "flowbits" "noalert; flowbits"
- 2013411 "flowbits" "noalert; flowbits"
- 2012961 "flowbits" "noalert; flowbits"
- 2003132 "flowbits" "noalert; flowbits"
- 2002032 "flowbits" "noalert; flowbits"
- 2002031 "flowbits" "noalert; flowbits"
- 2006911 "flowbits" "noalert; flowbits"
- 2003302 "flowbits" "noalert; flowbits"
- 2009128 "flowbits" "noalert; flowbits"
- 2009129 "flowbits" "noalert; flowbits"
- 2013420 "flowbits" "noalert; flowbits"
- 2013136 "flowbits" "noalert; flowbits"
- 2014805 "flowbits" "noalert; flowbits"
- 2008177 "flowbits" "noalert; flowbits"
- 2010100 "flowbits" "noalert; flowbits"
- 2012960 "flowbits" "noalert; flowbits"
- 2003115 "flowbits" "noalert; flowbits"
- 2017275 "flowbits" "noalert; flowbits"
- 2007752 "flowbits" "noalert; flowbits"
- 2017747 "flowbits" "noalert; flowbits"
- 2011544 "flowbits" "noalert; flowbits"
- 2018103 "flowbits" "noalert; flowbits"
- 2018291 "flowbits" "noalert; flowbits"
- 2018292 "flowbits" "noalert; flowbits"
- 2018059 "flowbits" "noalert; flowbits"
- 2018060 "flowbits" "noalert; flowbits"
- 2018061 "flowbits" "noalert; flowbits"
- 2018062 "flowbits" "noalert; flowbits"
- 2018063 "flowbits" "noalert; flowbits"
- 2018064 "flowbits" "noalert; flowbits"
- 2018065 "flowbits" "noalert; flowbits"
- 2018066 "flowbits" "noalert; flowbits"
- 2018067 "flowbits" "noalert; flowbits"
- 2018068 "flowbits" "noalert; flowbits"
- 2014758 "flowbits" "noalert; flowbits"
- 2014759 "flowbits" "noalert; flowbits"
- 2018466 "flowbits" "noalert; flowbits"
- 2018464 "flowbits" "noalert; flowbits"
- 2018626 "flowbits" "noalert; flowbits"
- 2018625 "flowbits" "noalert; flowbits"
- 2018622 "flowbits" "noalert; flowbits"
- 2018623 "flowbits" "noalert; flowbits"
- 2018855 "flowbits" "noalert; flowbits"
- 2018941 "flowbits" "noalert; flowbits"
- 2018963 "flowbits" "noalert; flowbits"
- 2018748 "flowbits" "noalert; flowbits"
- 2009026 "flowbits" "noalert; flowbits"
- 2008601 "flowbits" "noalert; flowbits"
- 2008602 "flowbits" "noalert; flowbits"
- 2008221 "flowbits" "noalert; flowbits"
- 2008222 "flowbits" "noalert; flowbits"
- 2008675 "flowbits" "noalert; flowbits"
- 2008676 "flowbits" "noalert; flowbits"
- 2008677 "flowbits" "noalert; flowbits"
- 2018465 "flowbits" "noalert; flowbits"
- 2020021 "flowbits" "noalert; flowbits"
- 2019242 "flowbits" "noalert; flowbits"
- 2020162 "flowbits" "noalert; flowbits"
- 2020163 "flowbits" "noalert; flowbits"
- 2020164 "flowbits" "noalert; flowbits"
- 2020165 "flowbits" "noalert; flowbits"
- 2020166 "flowbits" "noalert; flowbits"
- 2020297 "flowbits" "noalert; flowbits"
- 2020349 "flowbits" "noalert; flowbits"
- 2019739 "flowbits" "noalert; flowbits"
- 2020421 "flowbits" "noalert; flowbits"
- 2008380 "flowbits" "noalert; flowbits"
- 2008381 "flowbits" "noalert; flowbits"
- 2022131 "flowbits" "noalert; flowbits"
- 2022132 "flowbits" "noalert; flowbits"
- 2014560 "flowbits" "noalert; flowbits"
- 2022294 "flowbits" "noalert; flowbits"
- 2021527 "flowbits" "noalert; flowbits"
- 2023673 "flowbits" "noalert; flowbits"
- 2021630 "flowbits" "noalert; flowbits"
- 2024698 "flowbits" "noalert; flowbits"
- 2024697 "flowbits" "noalert; flowbits"
- 2024696 "flowbits" "noalert; flowbits"
- 2024695 "flowbits" "noalert; flowbits"
- 2024694 "flowbits" "noalert; flowbits"
- 2024751 "flowbits" "noalert; flowbits"
- 2024752 "flowbits" "noalert; flowbits"
- 2024755 "flowbits" "noalert; flowbits"
- 2024756 "flowbits" "noalert; flowbits"
- 2024774 "flowbits" "noalert; flowbits"
- 2024773 "flowbits" "noalert; flowbits"
- 2024775 "flowbits" "noalert; flowbits"
- 2024776 "flowbits" "noalert; flowbits"
- 2024778 "flowbits" "noalert; flowbits"
- 2024777 "flowbits" "noalert; flowbits"
- 2020838 "flowbits" "noalert; flowbits"
- 2021290 "flowbits" "noalert; flowbits"
- 2020566 "flowbits" "noalert; flowbits"
- 2025444 "flowbits" "noalert; flowbits"
- 2025445 "flowbits" "noalert; flowbits"
- 2026434 "flowbits" "noalert; flowbits"
- 2029187 "flowbits" "noalert; flowbits"
- 2029188 "flowbits" "noalert; flowbits"
- 2013419 "flowbits" "noalert; flowbits"
- 2020348 "flowbits" "noalert; flowbits"
- 2020296 "flowbits" "noalert; flowbits"
- 2008291 "flowbits" "noalert; flowbits"
- 2008292 "flowbits" "noalert; flowbits"
- 2018478 "flowbits" "noalert; flowbits"
- 2024772 "flowbits" "noalert; flowbits"
- 2017274 "flowbits" "noalert; flowbits"
- 2020028 "flowbits" "noalert; flowbits"
- 2020420 "flowbits" "noalert; flowbits"
- 2018463 "flowbits" "noalert; flowbits"
- 2024604 "flowbits" "noalert; flowbits"
- 2032908 "flowbits" "noalert; flowbits"
- 2032909 "flowbits" "noalert; flowbits"
- 2032914 "flowbits" "noalert; flowbits"
- 2018283 "flowbits" "noalert; flowbits"
- 2034534 "flowbits" "noalert; flowbits"
- 2034533 "flowbits" "noalert; flowbits"
- 2019628 "flowbits" "noalert; flowbits"
- 2018058 "flowbits" "noalert; flowbits"
- 2018624 "flowbits" "noalert; flowbits"
- 2003116 "flowbits" "noalert; flowbits"
- 2024753 "flowbits" "noalert; flowbits"
- 2024754 "flowbits" "noalert; flowbits"
- 2034631 "flowbits" "noalert; flowbits"
- 2034632 "flowbits" "noalert; flowbits"
- 2035362 "flowbits" "noalert; flowbits"
- 2033109 "flowbits" "noalert; flowbits"
- 2033110 "flowbits" "noalert; flowbits"
- 2033111 "flowbits" "noalert; flowbits"
- 2033112 "flowbits" "noalert; flowbits"
- 2046295 "flowbits" "noalert; flowbits"
- 2046921 "flowbits" "noalert; flowbits"
- 2020030 "flowbits" "noalert; flowbits"
- 2033183 "flowbits" "noalert; flowbits"
- 2033182 "flowbits" "noalert; flowbits"
- 2033184 "flowbits" "noalert; flowbits"
- 2013135 "flowbits" "noalert; flowbits"
- 2022572 "flowbits" "noalert; flowbits"
- 2026460 "flowbits" "noalert; flowbits"
- 2023290 "flowbits" "noalert; flowbits"
- 2023316 "flowbits" "noalert; flowbits"
- 2023315 "flowbits" "noalert; flowbits"
- 2022340 "flowbits" "noalert; flowbits"
- 2022339 "flowbits" "noalert; flowbits"
- 2020837 "flowbits" "noalert; flowbits"
- 2023291 "flowbits" "noalert; flowbits"
- 2022573 "flowbits" "noalert; flowbits"
- 2018620 "flowbits" "noalert; flowbits"
- 2047765 "flowbits" "noalert; flowbits"
- 2047763 "flowbits" "noalert; flowbits"
- 2047764 "flowbits" "noalert; flowbits"
- 2014234 "flowbits" "noalert; flowbits"
- 2020027 "flowbits" "noalert; flowbits"
- 2019344 "flowbits" "noalert; flowbits"
- 2019345 "flowbits" "noalert; flowbits"
- 2018281 "flowbits" "noalert; flowbits"
- 2035361 "flowbits" "noalert; flowbits"
- 2018282 "flowbits" "noalert; flowbits"
- 2050083 "flowbits" "noalert; flowbits"
- 2050094 "flowbits" "noalert; flowbits"
- 2013285 "flowbits" "noalert; flowbits"
- 2013194 "flowbits" "noalert; flowbits"
- 2013193 "flowbits" "noalert; flowbits"
- 2002199 "flowbits" "noalert; flowbits"
- 2002200 "flowbits" "noalert; flowbits"
- 2002201 "flowbits" "noalert; flowbits"
- 2002202 "flowbits" "noalert; flowbits"
- 2002203 "flowbits" "noalert; flowbits"
- 2103094 "flowbits" "noalert; flowbits"
- 2103095 "flowbits" "noalert; flowbits"
- 2103198 "flowbits" "noalert; flowbits"
- 2103197 "flowbits" "noalert; flowbits"
- 2103092 "flowbits" "noalert; flowbits"
- 2103093 "flowbits" "noalert; flowbits"
- 2103142 "flowbits" "noalert; flowbits"
- 2103096 "flowbits" "noalert; flowbits"
- 2102349 "flowbits" "noalert; flowbits"
- 2102348 "flowbits" "noalert; flowbits"
- 2102192 "flowbits" "noalert; flowbits"
- 2102508 "flowbits" "noalert; flowbits"
- 2102514 "flowbits" "noalert; flowbits"
- 2103143 "flowbits" "noalert; flowbits"
- 2103144 "flowbits" "noalert; flowbits"
- 2103145 "flowbits" "noalert; flowbits"
- 2103146 "flowbits" "noalert; flowbits"
- 2103135 "flowbits" "noalert; flowbits"
- 2103136 "flowbits" "noalert; flowbits"
- 2103137 "flowbits" "noalert; flowbits"
- 2103138 "flowbits" "noalert; flowbits"
- 2103139 "flowbits" "noalert; flowbits"
- 2103140 "flowbits" "noalert; flowbits"
- 2103141 "flowbits" "noalert; flowbits"
- 2103091 "flowbits" "noalert; flowbits"
- 2003308 "flowbits" "noalert; flowbits"
- 2003309 "flowbits" "noalert; flowbits"
- 2030172 "flowbits" "noalert; flowbits"
- 2030173 "flowbits" "noalert; flowbits"
- 2030174 "flowbits" "noalert; flowbits"
- 2035447 "flowbits" "noalert; flowbits"
- 2024059 "flowbits" "noalert; flowbits"
- 2052140 "flowbits" "noalert; flowbits"
- 2027956 "flowbits" "noalert; flowbits"
- 2031757 "flowbits" "noalert; flowbits"
- 2031983 "flowbits" "noalert; flowbits"
- 2032684 "flowbits" "noalert; flowbits"
- 2032689 "flowbits" "noalert; flowbits"
- 2032706 "flowbits" "noalert; flowbits"
- 2025005 "flowbits" "noalert; flowbits"
- 2032681 "flowbits" "noalert; flowbits"
- 2025025 "flowbits" "noalert; flowbits"
- 2025024 "flowbits" "noalert; flowbits"
- 2025023 "flowbits" "noalert; flowbits"
- 2025022 "flowbits" "noalert; flowbits"
- 2025021 "flowbits" "noalert; flowbits"
- 2002922 "flowbits" "noalert; flowbits"
- 2002920 "flowbits" "noalert; flowbits"
- 2003026 "flowbits" "noalert; flowbits"
- 2004598 "flowbits" "noalert; flowbits"
- 2003027 "flowbits" "noalert; flowbits"
- 2003028 "flowbits" "noalert; flowbits"
- 2003029 "flowbits" "noalert; flowbits"
- 2003030 "flowbits" "noalert; flowbits"
- 2003033 "flowbits" "noalert; flowbits"
- 2003035 "flowbits" "noalert; flowbits"
- 2003036 "flowbits" "noalert; flowbits"
- 2003037 "flowbits" "noalert; flowbits"
- 2003038 "flowbits" "noalert; flowbits"
- 2003934 "flowbits" "noalert; flowbits"
- 2008543 "flowbits" "noalert; flowbits"
- 2003002 "flowbits" "noalert; flowbits"
- 2003003 "flowbits" "noalert; flowbits"
- 2003004 "flowbits" "noalert; flowbits"
- 2003005 "flowbits" "noalert; flowbits"
- 2003008 "flowbits" "noalert; flowbits"
- 2003009 "flowbits" "noalert; flowbits"
- 2003010 "flowbits" "noalert; flowbits"
- 2003011 "flowbits" "noalert; flowbits"
- 2003014 "flowbits" "noalert; flowbits"
- 2003015 "flowbits" "noalert; flowbits"
- 2003018 "flowbits" "noalert; flowbits"
- 2003019 "flowbits" "noalert; flowbits"
- 2003020 "flowbits" "noalert; flowbits"
- 2003021 "flowbits" "noalert; flowbits"
- 2003007 "flowbits" "noalert; flowbits"
- 2003012 "flowbits" "noalert; flowbits"
- 2003013 "flowbits" "noalert; flowbits"
- 2006408 "flowbits" "noalert; flowbits"
- 2003410 "flowbits" "noalert; flowbits"
- 2014264 "flowbits" "noalert; flowbits"
- 2014265 "flowbits" "noalert; flowbits"
- 2003479 "flowbits" "noalert; flowbits"
- 2003480 "flowbits" "noalert; flowbits"
- 2001973 "flowbits" "noalert; flowbits"
- 2001974 "flowbits" "noalert; flowbits"
- 2001979 "flowbits" "noalert; flowbits"
- 2013936 "flowbits" "noalert; flowbits"
- 2022325 "flowbits" "noalert; flowbits"
- 2022326 "flowbits" "noalert; flowbits"
- 2001975 "flowbits" "noalert; flowbits"
- 2001976 "flowbits" "noalert; flowbits"
- 2001981 "flowbits" "noalert; flowbits"
- 2001982 "flowbits" "noalert; flowbits"
- 2001980 "flowbits" "noalert; flowbits"
- 2003006 "flowbits" "noalert; flowbits"
- 2029745 "flowbits" "noalert; flowbits"
- 2001977 "flowbits" "noalert; flowbits"
- 2001983 "flowbits" "noalert; flowbits"
- 2023197 "flowbits" "noalert; flowbits"
- 2017168 "flowbits" "noalert; flowbits"
- 2018104 "flowbits" "noalert; flowbits"
- 2017169 "flowbits" "noalert; flowbits"
- 2017170 "flowbits" "noalert; flowbits"
- 2017171 "flowbits" "noalert; flowbits"
- 2019954 "flowbits" "noalert; flowbits"
- 2020161 "flowbits" "noalert; flowbits"
- 2017126 "flowbits" "noalert; flowbits"
- 2013280 "flowbits" "noalert; flowbits"
- 2016396 "flowbits" "noalert; flowbits"
- 2016397 "flowbits" "noalert; flowbits"
- 2016400 "flowbits" "noalert; flowbits"
- 2016401 "flowbits" "noalert; flowbits"
- 2019953 "flowbits" "noalert; flowbits"
- 2017125 "flowbits" "noalert; flowbits"
- 2020159 "flowbits" "noalert; flowbits"
- 2024689 "flowbits" "noalert; flowbits"
- 2024690 "flowbits" "noalert; flowbits"
- 2025084 "flowbits" "noalert; flowbits"
- 2025083 "flowbits" "noalert; flowbits"
- 2025082 "flowbits" "noalert; flowbits"
- 2010897 "flowbits" "noalert; flowbits"
- 2010896 "flowbits" "noalert; flowbits"
- 2010890 "flowbits" "noalert; flowbits"
- 2010891 "flowbits" "noalert; flowbits"
- 2010892 "flowbits" "noalert; flowbits"
- 2010893 "flowbits" "noalert; flowbits"
- 2010894 "flowbits" "noalert; flowbits"
- 2010895 "flowbits" "noalert; flowbits"
- 2520109 "flowbits" "noalert; flowbits"
- 2520110 "flowbits" "noalert; flowbits"
- 2520111 "flowbits" "noalert; flowbits"
- 2522781 "flowbits" "noalert; flowbits"
- 2522782 "flowbits" "noalert; flowbits"
- 2522783 "flowbits" "noalert; flowbits"
- 2522784 "flowbits" "noalert; flowbits"
- 2522785 "flowbits" "noalert; flowbits"
- 2522786 "flowbits" "noalert; flowbits"
- 2522787 "flowbits" "noalert; flowbits"
- 2522788 "flowbits" "noalert; flowbits"
- 2522789 "flowbits" "noalert; flowbits"
- 2522790 "flowbits" "noalert; flowbits"
- 2522791 "flowbits" "noalert; flowbits"
- 2522792 "flowbits" "noalert; flowbits"
- 2522793 "flowbits" "noalert; flowbits"
- 2522794 "flowbits" "noalert; flowbits"

`

[defensivedepth]

Ok, you need to remove - re:DNS Query from /opt/so/saltstack/local/pillar/idstools/soc_idstools.sls , run sudo salt-call state.apply idstools and then sync suricata in Detections. Give it an hour or so and then lets go from there.

[sleepingbel]

Thx Josh