Strelka Sync Failed

[BradMic]

Version

2.4.211

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32GB

Storage for /

290GB

Storage for /nsm

1TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

On the Detections page in the SOC, Strelka is showing as Sync Failed. When I click on it, Hunt shows failed to sync community rules

I've attempted to download the rules manually by using curl and wget and going to the url shown in SOC>Configuration>soc>config>server>modules>suricataengine>rulesetSources>default>Emerging-Threats>Source Path>https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz which fails with wget showing an HTTP 410 error.

If I spoof the User-Agent header then the manual download works.

Has anyone else experienced this?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

I know you said Strelka, but sounds like you are having issues with Suricata rules.

Would you check /opt/so/log/soc/sensoroni-server.log for any further clues. Look for the errors in there.

Are you using ETOPEN or ETPRO ruleset?

[BradMic]

The upper right of the Detections page says
Elastalert: OK
Strelka: Sync Failed
Suricata: OK

We're using the ETOPEN ruleset.

Here is the only error message I found in /opt/so/log/soc/sensoroni-server.log:

{"fields":{"detectionengine":"strelka"'error":"state file present but 0 community rules found", "syncid":e2ad5807-d24f-4f21-85c7-15405ffa27e5"},"level":"error","timestamp":"2026-05-29T12:13:29.927649219Z", "message":" failed to sync community rules"}

This seems related to the previous error message:

{"fields":{"detectionengine":"strelka"'expectedStartTime":""2026-05-29T12:18:29Z", "forceSync":true,"lastSyncSuccess":"false""waitTimeSeconds":"300","level":"info","timestamp":"2026-05-29T12:13:29.92766611Z", "message":"waiting for next community rules sync"}

Is there a way to change the User-Agent header for the community rules download to test my theory that that is the issue?

Thanks,
Brad

[cm-ops]

Okay, thanks. When you try and reach Emerging Threats, that is for Suricata rules.

For Strelka, try this. At the CLI, remove this file - /opt/so/conf/soc/fingerprints/strelkaengine.state Restart the SOC container, sudo so-soc-restart and then try and synchronize the Strelka rule in Detections with a Full Update.