OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • PT Open ruleset
« previous next »
  • Print
Pages: [1]

Author Topic: PT Open ruleset  (Read 4142 times)

meschmesch

  • Full Member
  • ***
  • Posts: 184
  • Karma: 5
    • View Profile
PT Open ruleset
« on: September 15, 2021, 07:56:23 pm »
Hello,
after installing the plugin of os-intrusion-detection-content-pt-open it appears that there is no change in the available rulesets for download? I only get a set of tickable rules for os-intrusion-detection-content-snort-vrt and for os-intrusion-detection-content-et-open.

  • How can I get the rules of os-intrusion-detection-content-pt-open
  • Are the rules in os-intrusion-detection-content-pt-open corresponding to the commonly known ET Open ruleset? Since I continuously upgraded Opnsense from previous versions, it appears that I only have a few ET open Rulesets left from previous versions of Opnsense (ET open/botcc, ET open/botcc.portgrouped, ET open/ciarmy, ET open/compromised, ET open/drop, ET open/dshield, ET open/emerging-inappropriate and ET open/tor

Thank you!
Logged

meschmesch

  • Full Member
  • ***
  • Posts: 184
  • Karma: 5
    • View Profile
Re: PT Open ruleset
« Reply #1 on: September 16, 2021, 04:35:12 pm »
Ok, looks like adding the ET Pro Telemetry Edition Plugin automatically disables the majority of the native ET open rules. I don't know whether this is an error or wheter there is a reason behind it. An idea on that?

Another question that came to my mind is which rulesets to select:

If you leave memory and speed completely out of the equation and only look at the real-world effectiveness of the filters, I don't know which filters make sense. Opnsense is behind a firewall of an ISP modem, so only very few requests reach Suricata on a few ports. On top of that, most of the communication today is over https, so any viruses, trojans, exploits from Suricata cannot be filtered at all because of the encrypted communication between endpoints. Am I seeing this correctly?

Filters like "emerging-exploit" or "emerging-dos" or "emerging-activex" don't make any sense at all here, do they?

What about IPv6 communication? A large part of the lists contain pure IPv4 addresses? If my system is also reachable via IPv6, Suricata protects relatively little or?

Translated with www.DeepL.com/Translator (free version)
Logged

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: PT Open ruleset
« Reply #2 on: September 19, 2021, 05:44:00 pm »
hi
Quote
Are the rules in os-intrusion-detection-content-pt-open corresponding to the commonly known ET Open ruleset
no. these are the rules from the Positive Technologies company. not Proofpoint

Quote
ET Pro Telemetry Edition Plugin automatically disables the majority of the native ET open rules
https://shop.opnsense.com/product/etpro-telemetry/
Code: [Select]
Includes ET Open. ET Pro Telemetry Editions allows you to benefit from the collective intelligence provided by one of the largest and most active IDS/IPS rule writing communities.  Rule submissions are received from all over the world covering never seen before threats—all tested by the Proofpoint’s ET Labs research team to ensure optimum performance and accurate detection.

Quote
so any viruses, trojans, exploits from Suricata cannot be filtered at all because of the encrypted communication between endpoints. Am I seeing this correctly?
Yes and no. If the signature of the threat is in the encrypted part, then yes - the traffic must be decrypted before analysis. But not all rules are based on body analysis.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • PT Open ruleset
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2