I've moved from ET Telemetry Pro to ET Open and I have activated a set of rules.
I now see Alerts in IDS/IPS like this:
ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 but the action is 'allowed'.
Why?
The answer is: you need to set a Policy.
(Not that it works yet, 'apply' never completes, but that is another issue. In theory it works.)
@gctwnl
Did you check the log? I tried to add Threatfox but found that it didn't complete either.
The log shows:
Error suricata [100110] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"slotgamings.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1047040/; target:src_ip; metadata: confidence_level 50, first_seen 2022_12_14; classtype:trojan-activity; sid:9104704" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 70885
Error suricata [100110] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
So it would appear there is a missing ";" on the line.
I need to recheck the rule file.