ET PRO Telemetry not working anymore

Started by guenti_r, January 09, 2025, 11:24:41 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 09, 2025, 11:24:41 AM
Hi all,

on one of my OPNSense-Instances (24.10.1) this plug-in is not working anymore.
It downloads the wrong rules (et-open) because the heartbeat does not work.
Also the widget shows nothing.
These OPNSense is running since 2021 without any changes, the sensor token is also the same since ordered in 2021.

/sensor_info.py shows

Code Select
{"sensorId":"--REMOVED--","sensor_status":"DISABLED","last_heartbeat":"2025-01-09T10:12:05+00:00","last_rule_download":"2025-01-09T09:30:38+00:00","event_received":"2022-12-30T21:11:36+00:00","created":"2021-12-15T13:00:09+00:00","disable_date":"2023-01-04T21:11:36+00:00","status":"ok"}
The bad thing is, if the sensor is disabled some time, it downloads a VERY outdated et_open rule package, which is very dangerous because the implemented policies does not working with these outdated rules. So suricata blockes randomely many wrong traffic wich is catastrophical!
January 13, 2025, 08:06:40 PM #1 Last Edit: January 13, 2025, 08:09:34 PM by if8ps3Jc
I have the same issue for three OPNsense Firewalls (DEC2685, DEC2750, DEC3840) all on v24.10.1

This issue has been ongoing for some weeks: Sometimes the downloaded rules are recent and it works for some hours or days until the next time where it downloads heavily outdated rules which causes a lot of falsely blocked traffic.

Is there no workaround?
I might have to remove ET PRO Telemetry rules completely for now.
January 18, 2025, 06:03:54 PM #2
Here does the widget does not seem to work also. Hope the fix/workaround will be available to solve this.
Deciso DEC850v2
January 19, 2025, 07:26:26 PM #3
January 21, 2025, 07:31:59 PM #4
Greetings all - We've modified the token code to re-enable sensors which had been disabled in this period as well as open up the window that's examined to determine whether a sensor is still sending us data (or not). Apologies for the disruption. We'll get some documentation out clarifying our position on telemetry reception and periodicy soon.--ET Team
January 21, 2025, 07:40:34 PM #5
thank you for the update! Widget is showing data again.
Deciso DEC850v2
January 22, 2025, 11:56:32 PM #6 Last Edit: January 23, 2025, 12:00:25 AM by corran22 Reason: changed duplicate message
please let us know at support(at)emergingthreats.net if you have further problems. 
January 25, 2025, 05:46:11 AM #7 Last Edit: January 25, 2025, 06:08:40 AM by TheTecnophen
After a fresh install of Opnsense I added the et pro telemetry edition plug-in. However, the place where I would insert my token is not showing up at the bottom of the download page:

Services>Intrusion Detection>Administration>Download

Edit: The Snort VRT plug-in does show up where it's supposed to when installed.






January 29, 2025, 03:02:42 AM #8
Quote from: corran22 on January 22, 2025, 11:56:32 PMplease let us know at support(at)emergingthreats.net if you have further problems. 

Hi,

My sensor is somehow disabled again? see below:
Code Select
{"sensorId":"--REDACTED--","sensor_status":"DISABLED","last_heartbeat":"2025-01-29T01:07:52+00:00","last_rule_download":"2025-01-28T20:00:07+00:00","event_received":"2025-01-28T21:22:19+00:00","created":"2025-01-23T04:50:15+00:00","disable_date":"2025-04-28T21:22:19+00:00","status":"ok"}
The last event and heartbeat are less than 24 hours ago, yet somehow the sensor is DISABLED again.
Puzzling...

Thanks
January 31, 2025, 07:30:56 PM #9
My token was disabled again as well. I had this issue before and monitored this thread until it was resolved. It has become disabled again sometime in the past 12 hours.

{"sensorId":"XXX-REDACTED-XXX","sensor_status":"DISABLED","last_heartbeat":"2025-01-31T17:01:09+00:00","last_rule_download":"2025-01-31T07:00:14+00:00","event_received":"2025-01-20T16:29:41+00:00","created":"2024-12-23T15:45:11+00:00","disable_date":"2025-04-20T16:29:41+00:00","status":"ok"}
January 31, 2025, 08:43:29 PM #10
Quote from: Dantichrist on January 31, 2025, 07:30:56 PMMy token was disabled again as well. I had this issue before and monitored this thread until it was resolved. It has become disabled again sometime in the past 12 hours.

{"sensorId":"XXX-REDACTED-XXX","sensor_status":"DISABLED","last_heartbeat":"2025-01-31T17:01:09+00:00","last_rule_download":"2025-01-31T07:00:14+00:00","event_received":"2025-01-20T16:29:41+00:00","created":"2024-12-23T15:45:11+00:00","disable_date":"2025-04-20T16:29:41+00:00","status":"ok"}

I emailed support as post #6 suggested. They responded saying that there was a backend DB issue, and that they were working to resolve it. After a bit of time it's working fine again. Thanks!
Print
Go Up Pages1
User actions