Applied the latest feeds update this morning and it totally broke HIDS on my USM and remote sensors. Logs show the following:
2017/10/17 13:01:56 testrule: INFO: Reading decoder file alienvault/decoders/decoder.xml.
2017/10/17 13:01:56 testrule: INFO: Reading decoder file alienvault/decoders/local_decoder.xml.
2017/10/17 13:01:56 rules_list: Signature ID '7701' not found. Invalid 'if_sid'.
which I believe is for the new Windows Defender supposed improvements listed in the announcement below. Commenting out the following lines allows HIDS to start back up:
HIDS rules and decoders
How to enable new HIDS rules
- Updated AlienVault-HIDS rules to generate events for Microsoft Antimalware alerts for scans started/finished and malware detections.
- Additional changes in AlienVault-HIDS rules and decoders in preparation for an upcoming upgrade of the USM Appliance HIDS.