Disable rules from terminal #14055

intsec · 2024-12-30T12:39:50Z

intsec
Dec 30, 2024

Version

2.4.110

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

32

Storage for /

200G

Storage for /nsm

320G

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I have turned on all the alert rules for my SO and now I can't get elastalert to start, it shows it is missing. I can't disable them from the web interface since I receive an error window at the top of the page. When ever I reboot the server is horribly slow and I really believe it's because of the alerts. Once it stops being slow, usually a day, I can start moving around the manager in a terminal. Where can I disable these rules? I have gone in the the so/rules directory and have removed the rules from there but they keep coming back.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

defensivedepth · 2025-01-03T14:24:21Z

defensivedepth
Jan 3, 2025
Maintainer

I can't disable them from the web interface since I receive an error window at the top of the page.

Please post the error so that we can troubleshoot further.

0 replies

intsec · 2025-01-03T15:08:41Z

intsec
Jan 3, 2025
Author

This is the error popup. ***@***.*** From: Josh Brower ***@***.***> Sent: Friday, January 3, 2025 9:25 AM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: Eric Vanderveer ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Disable rules from terminal (Discussion #14055) I can't disable them from the web interface since I receive an error window at the top of the page. Please post the error so that we can troubleshoot further. — Reply to this email directly, view it on GitHub<#14055 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ATLMUC5H4OUW4PAP2JAQW332I2MSXAVCNFSM6AAAAABUL7U4SCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCNZSGYYTSOA>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

0 replies

intsec · 2025-01-07T18:49:40Z

intsec
Jan 7, 2025
Author

Looks like I can't email reply with a screenshot. Here is the error.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable rules from terminal #14055

{{title}}

Replies: 3 comments

{{title}}

{{title}}

{{title}}

Select a reply

Disable rules from terminal #14055

intsec Dec 30, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 3 comments

defensivedepth Jan 3, 2025 Maintainer

intsec Jan 3, 2025 Author

intsec Jan 7, 2025 Author

intsec
Dec 30, 2024

defensivedepth
Jan 3, 2025
Maintainer

intsec
Jan 3, 2025
Author

intsec
Jan 7, 2025
Author