OPNsense Forum

English Forums => 21.7 Legacy Series => Topic started by: zkduzvzpene on November 28, 2021, 05:36:48 pm

Title: Intrusion Detection: Administration / No Last update date
Post by: zkduzvzpene on November 28, 2021, 05:36:48 pm
Hello,

I am a newcomer to OPNSense. Sorry if my question is a bit silly :|

A was on Synology Router before and I want to move to OPNSense.
I was using Threat Protection. If I well understand, I have to use Suricata on OPNSense (installed by default).

In "Intrusion Detection: Administration: Download", all the rules OPNsense-App-detect/* can be enabled and downloaded (I see a date on the "last updated" column, but it doesn't work for abuse.ch/* and ET open/*.
I can enable them but there is no date after clicking on "Download & update rules".
** see attachment **
I cannot see any error message.

I saw on some tutorials/docs that the "Filter" column is not on my screen.
I also have only 2 selection buttons : "Enable/disable selected". I don't see "Enable (drop/clear filter)" buttons.
Is it a problem?

If I try to install the plugin os-intrusion-detection-content-et-open, the rules into "Intrusion Detection: Administration" are listed in double. I have removed it.
Do I have to install it?

Does somebody have an idea of my mistake?

Thank you in advance :)

---
Type   opnsense   
Version   21.7.6   
Architecture   amd64   
Flavour   OpenSSL   
Commit   acdaa7649   
Mirror   https://pkg.opnsense.org/FreeBSD:12:amd64/21.7   
Repositories   OPNsense   
Updated on   Fri Nov 26 19:33:59 CET 2021   
Checked on   Sun Nov 28 00:00:00 CET 2021
---
suricata   6.0.4   6.82MiB   OPNsense   GPLv2   High Performance Network IDS, IPS and Security Monitoring engine
---
os-intrusion-detection-content-et-open   1.0.1   1.53KiB   OPNsense   IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition   
os-intrusion-detection-content-et-pro   1.0.2_1   5.72KiB   OPNsense   IDS Proofpoint ET Pro ruleset (needs a valid subscription)   
os-intrusion-detection-content-pt-open   1.0_1   798B   OPNsense   IDS PT Research ruleset (only for non-commercial use)   
os-intrusion-detection-content-snort-vrt   1.1_1   12.7KiB   OPNsense   IDS Snort VRT ruleset (needs registration or subscription)
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: Fright on November 28, 2021, 06:16:49 pm
Hi
Quote
If I try to install the plugin os-intrusion-detection-content-et-open, the rules into "Intrusion Detection: Administration" are listed in double
you are sure? imho the rulesets from the plugin start with "et_open" prefix, the rulesets from the core do not have such a prefix (although I'm not sure if it makes sense to use the plugins "ET open" rulesets)

Quote
there is no date after clicking on "Download & update rules"
can you try to hit "Download & update rules" again and look in General log for any errors?
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: zkduzvzpene on November 28, 2021, 06:52:35 pm
Hello @Fright,

Please find enclosed 3 screenshoots : no plugin installed (current setting), 1 plugin Open installed and the impact on the Rules.

Where is located the "General log" ?

BR
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: Fright on November 28, 2021, 07:42:20 pm
Quote
no plugin installed (current setting), 1 plugin Open installed and the impact on the Rules.
got it, thanks. rulesets have the same descriptions. I would stick with the core rules and not install the plugin (current settings). especially since the core rulesets have been migrated to suricata 5. format
Quote
Where is located the "General log" ?
System: Log Files: General
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: zkduzvzpene on November 28, 2021, 08:05:31 pm
here are the General Logs
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: Fright on November 28, 2021, 08:28:03 pm
got it. so rules are downloaded but (may be) not installed?
any errors in backend log?
System: Log Files: Backend
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: zkduzvzpene on November 28, 2021, 08:32:54 pm
Here is the Backend log
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: Fright on November 28, 2021, 08:42:25 pm
if there were errors installing the rules, then they were immediately after downloading the rules (17:19:34)
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: zkduzvzpene on November 28, 2021, 09:06:48 pm
I put files instead of screenshots :)
I don't see any error...
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: Fright on November 29, 2021, 06:21:13 am
Quote
I don't see any error...
hm. me neither..
can you try to run:
Code: [Select]
/usr/local/opnsense/scripts/suricata/installRules.pyany errors?
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: zkduzvzpene on November 29, 2021, 10:11:38 am
I restarted the router at 8h12 then I run the script.
I do not see any error :(
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: Fright on November 30, 2021, 08:20:06 pm
hi! sorry for delay. any progess on that?
i checked on test vm - IDPS downloads and install both rulesets. although imho there is no sense to use os-intrusion-detection-content-et-open  plugin any more (same definitions, same sid-s. but core ruleset is 5.0 format)
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: zkduzvzpene on November 30, 2021, 09:29:56 pm
Hello,

I agree, I do not use os-intrusion-detection-content-et-open anymore.
I still have the issue.
As we do not see any error message, do I have to re-install my device from scratch?

Thanks
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: Fright on December 08, 2021, 07:22:13 am
Hi again. sorry for the delay. I tried to reproduce the described behavior several times and could not.
(the only way to do something similar is the huge number of rulesets enabled. in this case, it takes a significant amount of time before the rulesets statuses can be updated)

I once again looked at your logs and although there are no errors, I also do not see any requests to the rules.emergingthreats.net servers when updating the rulesets.

if there is still interest, could you do the following please:
1. Disable all rulesets in Services: Intrusion Detection: Administration.
2. Reset all log files (System: Settings: Logging).
3. Enable ET open/botcc and ET open/drop rulesets in  Services: Intrusion Detection: Administration (both core and plugin if plugin installed).
4. Press the Download&Update Button and wait for spin stop.
5. Share system and backend logs.

Thanks!

and I have to clarify my statement regarding the os-intrusion-detection-content-et-open plugin rulesets. the plugin (as it is said in the description) is intended to supplement the  ET Pro Telemetry rulesets. therefore my saying "imho there is no sense to use os-intrusion-detection-content-et-open  plugin any more" is not correct (and only refers to the use of plugin rules with core ET rules). I didn't compare the rules from the telemetry plugin and the os-intrusion-detection-content-et-open rules
Title: Re: Intrusion Detection: Administration / No Last update date
Post by: zkduzvzpene on December 11, 2021, 05:21:08 pm
Hello,

I started to reinstall OpnSense before your reply.
After reinstall, it seems that it works!

I didn't understand what happened.
Thank you very much for your time and your help.