Truing up deleted rules with threshold file

Sometimes I’ll see things like:
8/6/2023 -- 08:23:27 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2044749, gid 1: unknown rule

When I create the threshold entry, I have a copy of when it hit, so I know that sig did exist at some point. How can I automatically true up what’s been deleted from my threshold file? Thank you.

I don’t have experience in that area, but would it be possible to keep your threshold file under version control is?

Eh…it would almost need to grep out the SID’s and bounce them off the current suricata.rules file to see if the SID is at least there.

It would be interesting to see if it would be possible to have suricata-update handle that in the future since it is aware of the status of rules.

Currently though, as you said, you would need to have a list of active/enabled sids and run that against your threshold contents. I am not sure of any options in the current suricata or related tools that would do it automagically for you.

JT

1 Like

Maybe we could have a feature request on redmine, then the team can see how doable that is? :stuck_out_tongue:

Yea I was thinking suri update for that. For now I’ll just do it manually in the update script…thank you.

Ya good call…I’ll get that started thanks.

Ugh…no login…I don’t suppose some kind soul could save me the hassle of registering maybe :smiley:

XD I can create the ticket, but I might lack the details for a good description. I’ll point to this discussion.

Good luck with the manual process, for now!

1 Like

I hope that helps :slight_smile:

Thank you much! 2020202020

Do check out the answer on the ticket, might be helpful? :slight_smile:

Brilliant…thank you…Jason Ish FTW as usual :slight_smile:

1 Like

Untested is the keyword here :slight_smile:. But I’m inspired now to nurse this feature back to a working and documented state.

1 Like

Happy to help! And by “help” I mean “make more work for you” :smiley: