'Re: [security-onion] Sguil unable to find matching rule'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] Sguil unable to find matching rule
From:       Doug Burks <doug.burks () gmail ! com>
Date:       2014-02-26 12:28:16
Message-ID: CAK8kjrBEKb7huVFUC7qGVdbg3tn7xCJYZ8z9yOzTMjthFLGGow () mail ! gmail ! com
[Download RAW message or body]

Hi MadMorb,

Yes, if you have alerts that were generated by the ET rules but you've
since removed the ET rules from your ruleset, then sguild will not be
able to locate the rule in /etc/nsm/rules/downloaded.rules and will
display "unable to find matching rule".

In the future, please start a new thread instead of replying to old ones.

On Tue, Feb 25, 2014 at 2:55 PM, MadMorb <rjmfphotography@gmail.com> wrote:
> Similar problem, "unable to find matching rule".  I show the following:
> 
> drwxrwxr-x 3 sguil sguil 4.0K Feb 24 17:35 .
> drwxrwxr-x 5 sguil sguil 4.0K Feb 24 17:35 ..
> lrwxrwxrwx 1 root  root    14 Feb 24 17:35 default -> /etc/nsm/rules
> drwxr-xr-x 2 root  root  4.0K Feb 24 17:35 NULL
> lrwxrwxrwx 1 root  root    14 Feb 24 17:35 SMTRTEST-eth0 -> /etc/nsm/rules
> lrwxrwxrwx 1 root  root    14 Feb 24 17:35 SMTRTEST-eth0-1 -> /etc/nsm/rules
> lrwxrwxrwx 1 root  root    14 Feb 24 17:35 SMTRTEST-eth0-2 -> /etc/nsm/rules
> 
> Running sub-rules, previously running sub, reg, and ET.  Removed ET...any chance \
> that's the issue here? 
> --
> You received this message because you are subscribed to the Google Groups \
> "security-onion" group. To unsubscribe from this group and stop receiving emails \
> from it, send an email to security-onion+unsubscribe@googlegroups.com. To post to \
> this group, send email to security-onion@googlegroups.com. Visit this group at \
> http://groups.google.com/group/security-onion. For more options, visit \
> https://groups.google.com/groups/opt_out.



-- 
Doug Burks

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic