New 2.4.111 Install - Elastalert Rule Mismatch

[murph146]

Version

2.4.111

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

32

Storage for /

300

Storage for /nsm

200

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I just did a fresh install of 2.4.111 with no custom modifications to rules or alerts and detection page is showing an Elastalert Rule Mismatch. Reboot clears the error and then 15-20 minutes it comes back. Hunt shows integrity check failed; discrepancies found. Not positive but it seems like a similar issue or the same was reported to be resolved in an earlier 2.4 release. What's the easiest way to resolve this or do I just reinstall since I haven't put much time into this fresh install yet.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[rh-ops]

Yeah if you're open to doing a fresh install, lets try that and see if the issue persists. Also I'd recommend swapping your / and nsm partitions while you're at it. The nsm should be the one with the most space.

[SanibelJack]

Anyone else have any other recommendations besides a reinstall?

[rh-ops]

If you're dealing with a similar issue, please create a new discussion post for it.

[murph146]

It looks like maybe i spoke too soon because the issue has re-appeared. I see it says there's a discrepancy found which is the same message i was getting before i did the rebuild as recommended, but I don't see what the discrepancies are. Would prepfer to not rebuild this again if possible so any help would be appreciated.

[defensivedepth]

@murph146 @SanibelJack We have confirmed that there is an issue with a recently-updated Sigma rule - 24e3e58a-646b-4b50-adef-02ef935b9fc8 - Hacktool Execution - Imphash

For now, search for that rule in Detections and disable it. It will clear up the mismatch.

Our next release will fix the field mapping for that rule.