PT Open ruleset

[meschmesch]

Hello,
after installing the plugin of os-intrusion-detection-content-pt-open it appears that there is no change in the available rulesets for download? I only get a set of tickable rules for os-intrusion-detection-content-snort-vrt and for os-intrusion-detection-content-et-open.

• How can I get the rules of os-intrusion-detection-content-pt-open
• Are the rules in os-intrusion-detection-content-pt-open corresponding to the commonly known ET Open ruleset? Since I continuously upgraded Opnsense from previous versions, it appears that I only have a few ET open Rulesets left from previous versions of Opnsense (ET open/botcc, ET open/botcc.portgrouped, ET open/ciarmy, ET open/compromised, ET open/drop, ET open/dshield, ET open/emerging-inappropriate and ET open/tor

Thank you!

[meschmesch]

Ok, looks like adding the ET Pro Telemetry Edition Plugin automatically disables the majority of the native ET open rules. I don't know whether this is an error or wheter there is a reason behind it. An idea on that?

Another question that came to my mind is which rulesets to select:

If you leave memory and speed completely out of the equation and only look at the real-world effectiveness of the filters, I don't know which filters make sense. Opnsense is behind a firewall of an ISP modem, so only very few requests reach Suricata on a few ports. On top of that, most of the communication today is over https, so any viruses, trojans, exploits from Suricata cannot be filtered at all because of the encrypted communication between endpoints. Am I seeing this correctly?

Filters like "emerging-exploit" or "emerging-dos" or "emerging-activex" don't make any sense at all here, do they?

What about IPv6 communication? A large part of the lists contain pure IPv4 addresses? If my system is also reachable via IPv6, Suricata protects relatively little or?

Translated with www.DeepL.com/Translator (free version)

[Fright]

hi

Are the rules in os-intrusion-detection-content-pt-open corresponding to the commonly known ET Open ruleset

no. these are the rules from the Positive Technologies company. not Proofpoint

ET Pro Telemetry Edition Plugin automatically disables the majority of the native ET open rules

https://shop.opnsense.com/product/etpro-telemetry/

Code Select Expand


Includes ET Open. ET Pro Telemetry Editions allows you to benefit from the collective intelligence provided by one of the largest and most active IDS/IPS rule writing communities.  Rule submissions are received from all over the world covering never seen before threats—all tested by the Proofpoint's ET Labs research team to ensure optimum performance and accurate detection.


so any viruses, trojans, exploits from Suricata cannot be filtered at all because of the encrypted communication between endpoints. Am I seeing this correctly?

Yes and no. If the signature of the threat is in the encrypted part, then yes - the traffic must be decrypted before analysis. But not all rules are based on body analysis.