OPNsense Forum

Hi,
i use ET Pro Telemetry.
Watching around i didn't see log from Dshield and 3coresec.
I enter in ssh and look for /usr/local/etc/suricata/opnsense.rules/dshield.rules

this is the content:
#@opnsense_download_hash:f4094b88f662f07551c66c5ae72c6fbf
so i delete the file and redownload, same result.

I notice that other rules have the same issue, for example 3coresec.rules

All the rules big 57 byte in the list below have the problem.

Thanks.

-rw-r-----  1 root wheel       57 Feb 23 21:26 3coresec.rules
-rw-r-----  1 root wheel       97 Feb 23 21:26 OPNsense.rules
-rw-r-----  1 root wheel     1028 Feb 23 21:26 abuse.ch.feodotracker.rules
-rw-r-----  1 root wheel  2042544 Feb 23 21:26 abuse.ch.sslblacklist.rules
-rw-r-----  1 root wheel      516 Feb 23 21:26 abuse.ch.sslipblacklist.rules
-rw-r-----  1 root wheel 31596216 Feb 23 21:26 abuse.ch.threatfox.rules
-rw-r-----  1 root wheel 18809297 Feb 23 21:26 abuse.ch.urlhaus.rules
-rw-r-----  1 root wheel     2161 Feb 23 21:26 botcc.portgrouped.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 botcc.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 ciarmy.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 compromised.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 drop.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 dshield.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-activex.rules
-rw-r-----  1 root wheel   362964 Feb 23 21:26 emerging-adware_pup.rules
-rw-r-----  1 root wheel    76761 Feb 23 21:26 emerging-attack_response.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-botcc_portgrouped.rules
-rw-r-----  1 root wheel     7585 Feb 23 21:26 emerging-chat.rules
-rw-r-----  1 root wheel    14168 Feb 23 21:26 emerging-coinminer.rules
-rw-r-----  1 root wheel     9020 Feb 23 21:26 emerging-current_events.rules
-rw-r-----  1 root wheel    47191 Feb 23 21:26 emerging-deleted.rules
-rw-r-----  1 root wheel     9497 Feb 23 21:26 emerging-dns.rules
-rw-r-----  1 root wheel    12140 Feb 23 21:26 emerging-dos.rules
-rw-r-----  1 root wheel   292139 Feb 23 21:26 emerging-exploit.rules
-rw-r-----  1 root wheel   428329 Feb 23 21:26 emerging-exploit_kit.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-ftp.rules
-rw-r-----  1 root wheel     6959 Feb 23 21:26 emerging-games.rules
-rw-r-----  1 root wheel   116749 Feb 23 21:26 emerging-hunting.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-icmp.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-icmp_info.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-imap.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-inappropriate.rules
-rw-r-----  1 root wheel  2184956 Feb 23 21:26 emerging-info.rules
-rw-r-----  1 root wheel     3184 Feb 23 21:26 emerging-ja3.rules
-rw-r-----  1 root wheel  7370281 Feb 23 21:26 emerging-malware.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-misc.rules
-rw-r-----  1 root wheel   627407 Feb 23 21:26 emerging-mobile_malware.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-netbios.rules
-rw-r-----  1 root wheel    16148 Feb 23 21:26 emerging-p2p.rules
-rw-r-----  1 root wheel   779135 Feb 23 21:26 emerging-phishing.rules
-rw-r-----  1 root wheel   430212 Feb 23 21:26 emerging-policy.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-pop3.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-rpc.rules
-rw-r-----  1 root wheel     4724 Feb 23 21:26 emerging-scada.rules
-rw-r-----  1 root wheel    33564 Feb 23 21:26 emerging-scan.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-shellcode.rules
-rw-r-----  1 root wheel     2937 Feb 23 21:26 emerging-smtp.rules
-rw-r-----  1 root wheel     3673 Feb 23 21:26 emerging-snmp.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-sql.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-telnet.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-tftp.rules
-rw-r-----  1 root wheel    29580 Feb 23 21:26 emerging-user_agents.rules
-rw-r-----  1 root wheel     4331 Feb 23 21:26 emerging-voip.rules
-rw-r-----  1 root wheel    46370 Feb 23 21:26 emerging-web_client.rules
-rw-r-----  1 root wheel    40707 Feb 23 21:26 emerging-web_server.rules
-rw-r-----  1 root wheel   229317 Feb 23 21:26 emerging-web_specific_apps.rules
-rw-r-----  1 root wheel     5706 Feb 23 21:26 emerging-worm.rules
-rw-r-----  1 root wheel    21290 Feb 23 21:26 threatview_CS_c2.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 tor.rules


ET Pro Telemetry is a paid license, do you have a valid token issued?

You can install the plugin, download the rulesets, but if you don't have a valid subscription token you won't get very far.

Quote from: Deathmage85 on February 24, 2025, 01:42:11 AMET Pro Telemetry is a paid license, do you have a valid token issued?

You can install the plugin, download the rulesets, but if you don't have a valid subscription token you won't get very far.

Yes i have a valid token.
And 3COREsec is not part of ET.

As a word of caution, please make sure you have a backup of your firewall and a management interface defined before messing around with Suricata in CLI.

A few weeks ago, my own Suricata stopped pulling down rulesets. Thankfully, I was paranoid and took backups daily. When I went to fix it via CLI, it nuked the Suricata IPS config file, and then the firewall locked me out. Ultimately, I had to reinstall and recover. It only took me about 25 minutes, but still.

Side of the edge of caution if you mess around in CLI against Suricata's rulesets.

Quote from: Deathmage85 on February 26, 2025, 07:10:39 PMAs a word of caution, please make sure you have a backup of your firewall and a management interface defined before messing around with Suricata in CLI.

A few weeks ago, my own Suricata stopped pulling down rulesets. Thankfully, I was paranoid and took backups daily. When I went to fix it via CLI, it nuked the Suricata IPS config file, and then the firewall locked me out. Ultimately, I had to reinstall and recover. It only took me about 25 minutes, but still.

Side of the edge of caution if you mess around in CLI against Suricata's rulesets.

Thanks.
But don't worry.
I have night config backup and I can simply connect via console to my OPNsense and fix my mistakes without reinstall.
In 3 years i reinstalled only once my OPNsense, because i changed hardware.

Anyways no one have the same issue?
Please give me some feedbacks, even if you don't have the issue.
Thanks.

After reading your post I checked and found the same problem Et/compromised, dshield, drop, and can't remember what others were not there.
I tried reinstalling the plugin and downloading the ET pro telemetry again to no avail. It also made me wonder when you have the pro installed why in the plugins they have the option to download the open to run along side the pro. If all the rulesets were in the pro why would you need to have the open alongside it.

Hi,
i found on emergingthreats forum, someone has (looks like) the same issue.
https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/1 (https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/1)
I hope this help.

[quote author=RayonRa link=msg=230319 date=1740344827]
Hi,
i use ET Pro Telemetry.
Watching around i didn't see log from Dshield and 3coresec.
[/quote]

3coresec recently discontinued the Blacklist from which their ET Open ruleset was built.  As such we have discontinued offering that for download.

The other open source sets included in ET Open are functioning normally:

https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/drop.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/dshield.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/compromised-ips.txt

Quote from: corran22 on March 03, 2025, 10:33:41 PM3coresec recently discontinued the Blacklist from which their ET Open ruleset was built.  As such we have discontinued offering that for download.

The other open source sets included in ET Open are functioning normally:

https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/drop.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/dshield.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/compromised-ips.txt

Oh, bad news from 3coresec. :(

About this issue.
With ETPro enabled a lot of rulesets are empty (all the ruleset big 57 byte in my first post),
also the rulesets that on ET Open work just fine (as you said):
-rw-r-----  1 root wheel       57 Mar  4 00:00 compromised.rules
-rw-r-----  1 root wheel       57 Mar  4 00:00 drop.rules
-rw-r-----  1 root wheel       57 Mar  4 00:00 dshield.rules

On emergingthreats' forum:
https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/4 (https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/4)

If someone is interested:
https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/12?u=rayonra (https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/12?u=rayonra)