OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: meschmesch on September 15, 2021, 07:56:23 pm

Title: PT Open ruleset
Post by: meschmesch on September 15, 2021, 07:56:23 pm
Hello,
after installing the plugin of os-intrusion-detection-content-pt-open it appears that there is no change in the available rulesets for download? I only get a set of tickable rules for os-intrusion-detection-content-snort-vrt and for os-intrusion-detection-content-et-open.


Thank you!
Title: Re: PT Open ruleset
Post by: meschmesch on September 16, 2021, 04:35:12 pm
Ok, looks like adding the ET Pro Telemetry Edition Plugin automatically disables the majority of the native ET open rules. I don't know whether this is an error or wheter there is a reason behind it. An idea on that?

Another question that came to my mind is which rulesets to select:

If you leave memory and speed completely out of the equation and only look at the real-world effectiveness of the filters, I don't know which filters make sense. Opnsense is behind a firewall of an ISP modem, so only very few requests reach Suricata on a few ports. On top of that, most of the communication today is over https, so any viruses, trojans, exploits from Suricata cannot be filtered at all because of the encrypted communication between endpoints. Am I seeing this correctly?

Filters like "emerging-exploit" or "emerging-dos" or "emerging-activex" don't make any sense at all here, do they?

What about IPv6 communication? A large part of the lists contain pure IPv4 addresses? If my system is also reachable via IPv6, Suricata protects relatively little or?

Translated with www.DeepL.com/Translator (free version)
Title: Re: PT Open ruleset
Post by: Fright on September 19, 2021, 05:44:00 pm
hi
Quote
Are the rules in os-intrusion-detection-content-pt-open corresponding to the commonly known ET Open ruleset
no. these are the rules from the Positive Technologies company. not Proofpoint

Quote
ET Pro Telemetry Edition Plugin automatically disables the majority of the native ET open rules
https://shop.opnsense.com/product/etpro-telemetry/
Code: [Select]
Includes ET Open. ET Pro Telemetry Editions allows you to benefit from the collective intelligence provided by one of the largest and most active IDS/IPS rule writing communities.  Rule submissions are received from all over the world covering never seen before threats—all tested by the Proofpoint’s ET Labs research team to ensure optimum performance and accurate detection.

Quote
so any viruses, trojans, exploits from Suricata cannot be filtered at all because of the encrypted communication between endpoints. Am I seeing this correctly?
Yes and no. If the signature of the threat is in the encrypted part, then yes - the traffic must be decrypted before analysis. But not all rules are based on body analysis.