Messages

[root@local-vm ~]# ping -s 3000 -D PUBLIC_IP
PING PUBLIC_IP (PUBLIC_IP) 3000(3028) bytes of data.
[1747332539.430593] 3008 bytes from PUBLIC_IP: icmp_seq=1 ttl=63 time=3.56 ms
[1747332540.431041] 3008 bytes from PUBLIC_IP: icmp_seq=2 ttl=63 time=2.34 ms

Hi,
your "local-vm" is a linux machine.
The "-D" flag add the time in linux, don't enable "don't fragment" flag.
For linux you must use "-M do".

If someone is interested:
https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/12?u=rayonra

3coresec recently discontinued the Blacklist from which their ET Open ruleset was built.  As such we have discontinued offering that for download.

The other open source sets included in ET Open are functioning normally:

https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/drop.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/dshield.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/compromised-ips.txt

Oh, bad news from 3coresec. :(

About this issue.
With ETPro enabled a lot of rulesets are empty (all the ruleset big 57 byte in my first post),
also the rulesets that on ET Open work just fine (as you said):

Code Select Expand

-rw-r-----  1 root wheel       57 Mar  4 00:00 compromised.rules
-rw-r-----  1 root wheel       57 Mar  4 00:00 drop.rules
-rw-r-----  1 root wheel       57 Mar  4 00:00 dshield.rules

On emergingthreats' forum:
https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/4

Hi,
i found on emergingthreats forum, someone has (looks like) the same issue.
https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/1
I hope this help.

As a word of caution, please make sure you have a backup of your firewall and a management interface defined before messing around with Suricata in CLI.

A few weeks ago, my own Suricata stopped pulling down rulesets. Thankfully, I was paranoid and took backups daily. When I went to fix it via CLI, it nuked the Suricata IPS config file, and then the firewall locked me out. Ultimately, I had to reinstall and recover. It only took me about 25 minutes, but still.

Side of the edge of caution if you mess around in CLI against Suricata's rulesets.

Thanks.
But don't worry.
I have night config backup and I can simply connect via console to my OPNsense and fix my mistakes without reinstall.
In 3 years i reinstalled only once my OPNsense, because i changed hardware.

Anyways no one have the same issue?
Please give me some feedbacks, even if you don't have the issue.
Thanks.

ET Pro Telemetry is a paid license, do you have a valid token issued?

You can install the plugin, download the rulesets, but if you don't have a valid subscription token you won't get very far.

Yes i have a valid token.
And 3COREsec is not part of ET.

Hi,
i use ET Pro Telemetry.
Watching around i didn't see log from Dshield and 3coresec.
I enter in ssh and look for /usr/local/etc/suricata/opnsense.rules/dshield.rules

this is the content:

Code Select Expand

#@opnsense_download_hash:f4094b88f662f07551c66c5ae72c6fbf
so i delete the file and redownload, same result.

I notice that other rules have the same issue, for example 3coresec.rules

All the rules big 57 byte in the list below have the problem.

Thanks.

Code Select Expand

-rw-r-----  1 root wheel       57 Feb 23 21:26 3coresec.rules
-rw-r-----  1 root wheel       97 Feb 23 21:26 OPNsense.rules
-rw-r-----  1 root wheel     1028 Feb 23 21:26 abuse.ch.feodotracker.rules
-rw-r-----  1 root wheel  2042544 Feb 23 21:26 abuse.ch.sslblacklist.rules
-rw-r-----  1 root wheel      516 Feb 23 21:26 abuse.ch.sslipblacklist.rules
-rw-r-----  1 root wheel 31596216 Feb 23 21:26 abuse.ch.threatfox.rules
-rw-r-----  1 root wheel 18809297 Feb 23 21:26 abuse.ch.urlhaus.rules
-rw-r-----  1 root wheel     2161 Feb 23 21:26 botcc.portgrouped.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 botcc.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 ciarmy.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 compromised.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 drop.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 dshield.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-activex.rules
-rw-r-----  1 root wheel   362964 Feb 23 21:26 emerging-adware_pup.rules
-rw-r-----  1 root wheel    76761 Feb 23 21:26 emerging-attack_response.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-botcc_portgrouped.rules
-rw-r-----  1 root wheel     7585 Feb 23 21:26 emerging-chat.rules
-rw-r-----  1 root wheel    14168 Feb 23 21:26 emerging-coinminer.rules
-rw-r-----  1 root wheel     9020 Feb 23 21:26 emerging-current_events.rules
-rw-r-----  1 root wheel    47191 Feb 23 21:26 emerging-deleted.rules
-rw-r-----  1 root wheel     9497 Feb 23 21:26 emerging-dns.rules
-rw-r-----  1 root wheel    12140 Feb 23 21:26 emerging-dos.rules
-rw-r-----  1 root wheel   292139 Feb 23 21:26 emerging-exploit.rules
-rw-r-----  1 root wheel   428329 Feb 23 21:26 emerging-exploit_kit.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-ftp.rules
-rw-r-----  1 root wheel     6959 Feb 23 21:26 emerging-games.rules
-rw-r-----  1 root wheel   116749 Feb 23 21:26 emerging-hunting.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-icmp.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-icmp_info.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-imap.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-inappropriate.rules
-rw-r-----  1 root wheel  2184956 Feb 23 21:26 emerging-info.rules
-rw-r-----  1 root wheel     3184 Feb 23 21:26 emerging-ja3.rules
-rw-r-----  1 root wheel  7370281 Feb 23 21:26 emerging-malware.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-misc.rules
-rw-r-----  1 root wheel   627407 Feb 23 21:26 emerging-mobile_malware.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-netbios.rules
-rw-r-----  1 root wheel    16148 Feb 23 21:26 emerging-p2p.rules
-rw-r-----  1 root wheel   779135 Feb 23 21:26 emerging-phishing.rules
-rw-r-----  1 root wheel   430212 Feb 23 21:26 emerging-policy.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-pop3.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-rpc.rules
-rw-r-----  1 root wheel     4724 Feb 23 21:26 emerging-scada.rules
-rw-r-----  1 root wheel    33564 Feb 23 21:26 emerging-scan.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-shellcode.rules
-rw-r-----  1 root wheel     2937 Feb 23 21:26 emerging-smtp.rules
-rw-r-----  1 root wheel     3673 Feb 23 21:26 emerging-snmp.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-sql.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-telnet.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-tftp.rules
-rw-r-----  1 root wheel    29580 Feb 23 21:26 emerging-user_agents.rules
-rw-r-----  1 root wheel     4331 Feb 23 21:26 emerging-voip.rules
-rw-r-----  1 root wheel    46370 Feb 23 21:26 emerging-web_client.rules
-rw-r-----  1 root wheel    40707 Feb 23 21:26 emerging-web_server.rules
-rw-r-----  1 root wheel   229317 Feb 23 21:26 emerging-web_specific_apps.rules
-rw-r-----  1 root wheel     5706 Feb 23 21:26 emerging-worm.rules
-rw-r-----  1 root wheel    21290 Feb 23 21:26 threatview_CS_c2.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 tor.rules


Hi,
i just tested the patch.
Initially it doesn't work.
But after a reboot everything start working.

https://github.com/opnsense/src/issues/235#issuecomment-2629176435

Well now must wait for CrowdSec fix for this issue: https://github.com/opnsense/plugins/issues/4511

My issue is gone by patching 83975b5.
The opnsense team should build a 25.1_1 release with this patch for avoiding others have the issue after the upgrade to 25.1.

https://github.com/opnsense/src/issues/235

# opnsense-patch 83975b5
# /usr/local/etc/rc.filter_configure

Thanks @notspam for your feedback,
as i wrote on GitHub (l0rdg3x), i'll test this this patch tomorrow and report back to Franco.
i'm pretty sure that patch will fix the issue also on my firewall.

Hi,
if someone is interested, i opened a FR for this.

https://github.com/opnsense/core/issues/8274

Solved. On my site it was modified behaviour with MTU size.

Hi,
https://forum.opnsense.org/index.php?topic=45481.msg227423#msg227423
Issue opened: https://github.com/opnsense/core/issues/8270

Crowdsec blocks haven't appeared in my logs since I upgraded to 25.1 from 24.7.12. I also watched the live view for a few minutes and didn't see a block. I am not using Appsec (don't even know what it is).

Yes exactly!

CrowdSec had problems with Appsec enabled since 24.7.12
Can workaround by reverting or removing appsec collections. But I didn't find a solution to fix the root cause.

Hi, in my case, i don't have AppSec collections.

Hi,
today i update from 24.7.12 to 25.1.
2 issues:

1. MTU
I have the primary WAN in DHCP (i have a public IP from ISP via DHCP) with 1492 MTU (if i set 1500 i have some trouble, and device behind firewall can't reach some sites).
On 24.7.12 everything works.
On 25.1 seems that this parameter doesn't work.
I have issue reaching some site like i have with 1500 MTU.
I also tried decrease in some steps until i reach 1460, but nothing works.
Restore to 24.7.12 snapshot and everything works again.

Issue opened: https://github.com/opnsense/core/issues/8270

2. CrowdSec
With 25.1 seems that nothing is blocked.
I have't time for more investigation about this issue.
Without MTU working i'm unable to test other features.

Thanks.

After a reboot the 502 is gone.
I'm able to download the rules.
BUT (see screenshot)
And i can't see send_telemetry.py work.