Hi all,
on one of my OPNSense-Instances (24.10.1) this plug-in is not working anymore.
It downloads the wrong rules (et-open) because the heartbeat does not work.
Also the widget shows nothing.
These OPNSense is running since 2021 without any changes, the sensor token is also the same since ordered in 2021.
/sensor_info.py shows
{"sensorId":"--REMOVED--","sensor_status":"DISABLED","last_heartbeat":"2025-01-09T10:12:05+00:00","last_rule_download":"2025-01-09T09:30:38+00:00","event_received":"2022-12-30T21:11:36+00:00","created":"2021-12-15T13:00:09+00:00","disable_date":"2023-01-04T21:11:36+00:00","status":"ok"}
The bad thing is, if the sensor is disabled some time, it downloads a VERY outdated et_open rule package, which is very dangerous because the implemented policies does not working with these outdated rules. So suricata blockes randomely many wrong traffic wich is catastrophical!
I have the same issue for three OPNsense Firewalls (DEC2685, DEC2750, DEC3840) all on v24.10.1
This issue has been ongoing for some weeks: Sometimes the downloaded rules are recent and it works for some hours or days until the next time where it downloads heavily outdated rules which causes a lot of falsely blocked traffic.
Is there no workaround?
I might have to remove ET PRO Telemetry rules completely for now.
Here does the widget does not seem to work also. Hope the fix/workaround will be available to solve this.
Same issue:
https://forum.opnsense.org/index.php?topic=45286.0
Greetings all - We've modified the token code to re-enable sensors which had been disabled in this period as well as open up the window that's examined to determine whether a sensor is still sending us data (or not). Apologies for the disruption. We'll get some documentation out clarifying our position on telemetry reception and periodicy soon.--ET Team
thank you for the update! Widget is showing data again.
please let us know at support(at)emergingthreats.net if you have further problems.
After a fresh install of Opnsense I added the et pro telemetry edition plug-in. However, the place where I would insert my token is not showing up at the bottom of the download page:
Services>Intrusion Detection>Administration>Download
Edit: The Snort VRT plug-in does show up where it's supposed to when installed.
Quote from: corran22 on January 22, 2025, 11:56:32 PMplease let us know at support(at)emergingthreats.net if you have further problems.
Hi,
My sensor is somehow disabled again? see below:
{"sensorId":"--REDACTED--","sensor_status":"DISABLED","last_heartbeat":"2025-01-29T01:07:52+00:00","last_rule_download":"2025-01-28T20:00:07+00:00","event_received":"2025-01-28T21:22:19+00:00","created":"2025-01-23T04:50:15+00:00","disable_date":"2025-04-28T21:22:19+00:00","status":"ok"}The last event and heartbeat are less than 24 hours ago, yet somehow the sensor is DISABLED again.
Puzzling...
Thanks
My token was disabled again as well. I had this issue before and monitored this thread until it was resolved. It has become disabled again sometime in the past 12 hours.
{"sensorId":"XXX-REDACTED-XXX","sensor_status":"DISABLED","last_heartbeat":"2025-01-31T17:01:09+00:00","last_rule_download":"2025-01-31T07:00:14+00:00","event_received":"2025-01-20T16:29:41+00:00","created":"2024-12-23T15:45:11+00:00","disable_date":"2025-04-20T16:29:41+00:00","status":"ok"}
Quote from: Dantichrist on January 31, 2025, 07:30:56 PMMy token was disabled again as well. I had this issue before and monitored this thread until it was resolved. It has become disabled again sometime in the past 12 hours.
{"sensorId":"XXX-REDACTED-XXX","sensor_status":"DISABLED","last_heartbeat":"2025-01-31T17:01:09+00:00","last_rule_download":"2025-01-31T07:00:14+00:00","event_received":"2025-01-20T16:29:41+00:00","created":"2024-12-23T15:45:11+00:00","disable_date":"2025-04-20T16:29:41+00:00","status":"ok"}
I emailed support as post #6 suggested. They responded saying that there was a backend DB issue, and that they were working to resolve it. After a bit of time it's working fine again. Thanks!