OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: zkduzvzpene on November 28, 2021, 05:36:48 pm
-
Hello,
I am a newcomer to OPNSense. Sorry if my question is a bit silly :|
A was on Synology Router before and I want to move to OPNSense.
I was using Threat Protection. If I well understand, I have to use Suricata on OPNSense (installed by default).
In "Intrusion Detection: Administration: Download", all the rules OPNsense-App-detect/* can be enabled and downloaded (I see a date on the "last updated" column, but it doesn't work for abuse.ch/* and ET open/*.
I can enable them but there is no date after clicking on "Download & update rules".
** see attachment **
I cannot see any error message.
I saw on some tutorials/docs that the "Filter" column is not on my screen.
I also have only 2 selection buttons : "Enable/disable selected". I don't see "Enable (drop/clear filter)" buttons.
Is it a problem?
If I try to install the plugin os-intrusion-detection-content-et-open, the rules into "Intrusion Detection: Administration" are listed in double. I have removed it.
Do I have to install it?
Does somebody have an idea of my mistake?
Thank you in advance :)
---
Type opnsense
Version 21.7.6
Architecture amd64
Flavour OpenSSL
Commit acdaa7649
Mirror https://pkg.opnsense.org/FreeBSD:12:amd64/21.7
Repositories OPNsense
Updated on Fri Nov 26 19:33:59 CET 2021
Checked on Sun Nov 28 00:00:00 CET 2021
---
suricata 6.0.4 6.82MiB OPNsense GPLv2 High Performance Network IDS, IPS and Security Monitoring engine
---
os-intrusion-detection-content-et-open 1.0.1 1.53KiB OPNsense IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
os-intrusion-detection-content-et-pro 1.0.2_1 5.72KiB OPNsense IDS Proofpoint ET Pro ruleset (needs a valid subscription)
os-intrusion-detection-content-pt-open 1.0_1 798B OPNsense IDS PT Research ruleset (only for non-commercial use)
os-intrusion-detection-content-snort-vrt 1.1_1 12.7KiB OPNsense IDS Snort VRT ruleset (needs registration or subscription)
-
Hi
If I try to install the plugin os-intrusion-detection-content-et-open, the rules into "Intrusion Detection: Administration" are listed in double
you are sure? imho the rulesets from the plugin start with "et_open" prefix, the rulesets from the core do not have such a prefix (although I'm not sure if it makes sense to use the plugins "ET open" rulesets)
there is no date after clicking on "Download & update rules"
can you try to hit "Download & update rules" again and look in General log for any errors?
-
Hello @Fright,
Please find enclosed 3 screenshoots : no plugin installed (current setting), 1 plugin Open installed and the impact on the Rules.
Where is located the "General log" ?
BR
-
no plugin installed (current setting), 1 plugin Open installed and the impact on the Rules.
got it, thanks. rulesets have the same descriptions. I would stick with the core rules and not install the plugin (current settings). especially since the core rulesets have been migrated to suricata 5. format
Where is located the "General log" ?
System: Log Files: General
-
here are the General Logs
-
got it. so rules are downloaded but (may be) not installed?
any errors in backend log?
System: Log Files: Backend
-
Here is the Backend log
-
if there were errors installing the rules, then they were immediately after downloading the rules (17:19:34)
-
I put files instead of screenshots :)
I don't see any error...
-
I don't see any error...
hm. me neither..
can you try to run:
/usr/local/opnsense/scripts/suricata/installRules.py
any errors?
-
I restarted the router at 8h12 then I run the script.
I do not see any error :(
-
hi! sorry for delay. any progess on that?
i checked on test vm - IDPS downloads and install both rulesets. although imho there is no sense to use os-intrusion-detection-content-et-open plugin any more (same definitions, same sid-s. but core ruleset is 5.0 format)
-
Hello,
I agree, I do not use os-intrusion-detection-content-et-open anymore.
I still have the issue.
As we do not see any error message, do I have to re-install my device from scratch?
Thanks
-
Hi again. sorry for the delay. I tried to reproduce the described behavior several times and could not.
(the only way to do something similar is the huge number of rulesets enabled. in this case, it takes a significant amount of time before the rulesets statuses can be updated)
I once again looked at your logs and although there are no errors, I also do not see any requests to the rules.emergingthreats.net servers when updating the rulesets.
if there is still interest, could you do the following please:
1. Disable all rulesets in Services: Intrusion Detection: Administration.
2. Reset all log files (System: Settings: Logging).
3. Enable ET open/botcc and ET open/drop rulesets in Services: Intrusion Detection: Administration (both core and plugin if plugin installed).
4. Press the Download&Update Button and wait for spin stop.
5. Share system and backend logs.
Thanks!
and I have to clarify my statement regarding the os-intrusion-detection-content-et-open plugin rulesets. the plugin (as it is said in the description) is intended to supplement the ET Pro Telemetry rulesets. therefore my saying "imho there is no sense to use os-intrusion-detection-content-et-open plugin any more" is not correct (and only refers to the use of plugin rules with core ET rules). I didn't compare the rules from the telemetry plugin and the os-intrusion-detection-content-et-open rules
-
Hello,
I started to reinstall OpnSense before your reply.
After reinstall, it seems that it works!
I didn't understand what happened.
Thank you very much for your time and your help.