I’m seeing these errors occur with the Soteria rule set, mainly for macOS detections. Here is the error I caught today.
c2/analytics/rules/service.MAC-Possible_Shlayer_Installation
rule produced too many states @ [GUID]
This isn’t causing any performance issues on my side or missing any detections (as far as I know). This is more of an FYI for tuning the ruleset if there are errors in the rule.
I’ll add to this thread when/if I catch the other macOS detections that generate the same or similar errors.
EDIT: this is for the soteria-rules-edr paid rule set.
Thanks Josh. This error is because the rule looks for several events happen in succession. In LimaCharlie, if the first event triggers, it tries to “remember” that for a while to see if any of the subsequent indicators appear. If the second event occurs, it maintains another state to remember that. In cases where all conditions are not met (which is the overwhelming majority of the time), the LC detection engine will eventually drop the state, which creates this error. This is fine, as true positives for this detection will occur in short succession and would not be affected. But it does create a lot of error messages (we see them too). We are looking at how we can create this detection in a way that avoids these errors, but still works. In the meantime, we have decided to live with the errors.
Hopefully this makes sense. Happy to chat further if it would be helpful.
1 Like
Thanks @Paul_Ihme.
That’s really helpful information, appreciate you taking the time to walk through that.
Also, that’s cool you can see the errors on your side. I wasn’t sure if you could so it was more of an FYI to help with troubleshooting if you needed it.
Thanks for reaching out - alleys best to confirm!