OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: hbc on March 20, 2019, 09:58:15 am

Title: Suricate empty rules - just a hash inside
Post by: hbc on March 20, 2019, 09:58:15 am

Since my suricate is completely silent and I have no alerts, I took a look at the rules. Now I see that some rules are emtpy:

Code: [Select]

-rw-r-----  1 root  wheel       58 Mar 20 09:47 botcc.portgrouped.rules
-rw-r-----  1 root  wheel       58 Mar 20 09:47 botcc.rules
-rw-r-----  1 root  wheel       58 Mar 20 09:47 drop.rules
-rw-r-----  1 root  wheel       58 Mar 20 09:47 dshield.rules
-rw-r-----  1 root  wheel       58 Mar 20 09:47 tor.rules
The only content is a 58 bytes hash-string like:

#@opnsense_download_hash:8885524e8c925b9882c4602c9e517e2a

The curious thing is the tor ruleset. Before I upgraded to ET Pro telemetry edition and used the free rules, I got tor alerts. So I assume it has not been that empty before.

Title: Re: Suricate empty rules - just a hash inside
Post by: ruffy91 on March 21, 2019, 01:07:37 am

I had the same problem using the Telemetry edition and got following answer from deciso:
"You enabled only some rulesets that have currently no active rules.

The rulesets that contain the most rules are currently the trojans (by far) and malware rules (incl. mobile)

Rulesets that are empty today are:

Botcc
Innapropriate
Pop3
Ciarmy
Compromised
Drop
Dshield

Some of them are old categories, where rules have moved to new categories and are kept for compatibility reasons.

Of course new rules can be added to currently empty sets, so including them is just fine"