Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[SOLVED] "os-intrusion-detection-content-et-open" plugin - rules not loading?
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] "os-intrusion-detection-content-et-open" plugin - rules not loading? (Read 6681 times)
Patrick M. Hausen
Hero Member
Posts: 6809
Karma: 572
[SOLVED] "os-intrusion-detection-content-et-open" plugin - rules not loading?
«
on:
December 06, 2021, 03:21:32 pm »
Hi all,
when one activates Suricata for the first time with the OPNsense provided "open" rulesets, clicks on "Download & Update Rules" the result looks like in screenshot #1.
Installing the ET Pro Telemetry plugin and configuring a valid et_telemetry.token results in screenshot #2. So far so good.
Now, if I understood the documentation correctly, there's the "os-intrusion-detection-content-et-open" plugin containing some rulesets that are empty in the "telemetry" rulesets but do contain valuable rules in the "open" rulesets. And the plugin is supposed to add these. Correct?
The problem is that these rules are never downloaded according to the status display in the UI. See screenshot #3, please.
What am I doing wrong?
Thanks,
Patrick
«
Last Edit: December 08, 2021, 10:25:34 am by pmhausen
»
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: "os-intrusion-detection-content-et-open" plugin - rules not loading?
«
Reply #1 on:
December 06, 2021, 04:42:27 pm »
hmmm, have you checked the tick box of the rules you are interested in, pressed "Enable selected" and pressed afterwards "Download and Update rules"?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Patrick M. Hausen
Hero Member
Posts: 6809
Karma: 572
Re: "os-intrusion-detection-content-et-open" plugin - rules not loading?
«
Reply #2 on:
December 06, 2021, 04:56:44 pm »
Of course. See screenshot
They are all enabled. Whenever I hit the "Download & Update" button the timestamps for the abuse.ch or the telemetry rules are updated. The display for the open rules does not change.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: "os-intrusion-detection-content-et-open" plugin - rules not loading?
«
Reply #3 on:
December 06, 2021, 05:38:31 pm »
hmmm... what does the proofpoint Dashboard widget give you as subscription status?
https://docs.opnsense.org/manual/etpro_telemetry.html
"If your sensor will start sending events and heartbeats, it should switch to active after a certain amount of time."
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Patrick M. Hausen
Hero Member
Posts: 6809
Karma: 572
Re: "os-intrusion-detection-content-et-open" plugin - rules not loading?
«
Reply #4 on:
December 06, 2021, 05:56:00 pm »
*sigh*
Did you look at my screenshots and read my first posting?
The subscription rules load just fine. There is an additional plugin supposed to supply rules from the "open" ruleset that are missing in the "telemetry" ruleset. That plugin was introduced in April 2021:
https://github.com/opnsense/plugins/issues/2329
It is only these additional rules that should be provided by the "os-intrusion-detection-content-et-open" plugin (i did put that in the thread title) that do not load. At least not according to the rules status display in the UI.
I'll attach the widget anyway, so you see that my subscription is alive and well. And to repeat:
all subscription rules are loaded and updating!
All of this information is in my first post.
Kind regards,
Patrick
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Patrick M. Hausen
Hero Member
Posts: 6809
Karma: 572
Re: "os-intrusion-detection-content-et-open" plugin - rules not loading?
«
Reply #5 on:
December 06, 2021, 08:33:55 pm »
I opened an issue on Github:
https://github.com/opnsense/plugins/issues/2685
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
FullyBorked
Sr. Member
Posts: 343
Karma: 24
Re: "os-intrusion-detection-content-et-open" plugin - rules not loading?
«
Reply #6 on:
December 06, 2021, 11:17:34 pm »
Are you sure there are any extra rules that aren't included in the ET pro? Maybe they won't enable because they are already enabled in ET pro? I see "complementary subset" that makes me think the rules would also be included in the larger ET pro master set.
"IDS Proofpoint ET open ruleset
complementary subset
for ET Pro Telemetry edition"
Logged
Patrick M. Hausen
Hero Member
Posts: 6809
Karma: 572
Re: "os-intrusion-detection-content-et-open" plugin - rules not loading?
«
Reply #7 on:
December 06, 2021, 11:47:31 pm »
See the discussion in the github issue. I don't know if the rules are supposed to work along side the telemetry ones. From the description of the plugin I read that the plugin was created specifically for this use case. So, yes, they should. I am irritated by the "not installed" display in the UI and I want to find out what is going on.
Patrick
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Patrick M. Hausen
Hero Member
Posts: 6809
Karma: 572
Re: "os-intrusion-detection-content-et-open" plugin - rules not loading?
«
Reply #8 on:
December 08, 2021, 10:25:21 am »
Solved:
https://github.com/opnsense/plugins/commit/5f72f88d60c6d34f0e68e6f600e6fb968aeab94b
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[SOLVED] "os-intrusion-detection-content-et-open" plugin - rules not loading?