Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
ETPro not working
« previous
next »
Print
Pages: [
1
]
Author
Topic: ETPro not working (Read 3272 times)
ictinc
Newbie
Posts: 5
Karma: 0
ETPro not working
«
on:
September 18, 2019, 02:11:13 am »
Hi there,
I've just installed the ETpro rulesets and received the telemetry token.
However when I view my log files I see the following:
Sep 18 02:09:00 /send_telemetry.py: telemetry data collected 416 records in 0.29 seconds @2019-09-18 00:08:58.037806
Sep 18 02:08:24 /send_telemetry.py: unexpected result from
https://opnsense.emergingthreats.net/api/v1/event
(http_code 403)
Sep 18 02:08:00 /send_telemetry.py: telemetry data collected 411 records in 0.29 seconds @2019-09-18 00:07:57.929836
Sep 18 02:07:37 /send_telemetry.py: unexpected result from
https://opnsense.emergingthreats.net/api/v1/event
(http_code 403)
Sep 18 02:07:00 /send_telemetry.py: telemetry data collected 404 records in 0.35 seconds @2019-09-18 00:06:57.830542
Sep 18 02:06:07 /send_telemetry.py: unexpected result from
https://opnsense.emergingthreats.net/api/v1/event
(http_code 403)
Sep 18 02:06:00 /send_telemetry.py: telemetry data collected 397 records in 0.29 seconds @2019-09-18 00:05:57.748519
Sep 18 02:05:56 /send_telemetry.py: unexpected result from
https://opnsense.emergingthreats.net/api/v1/event
(http_code 403)
Sep 18 02:05:00 /send_telemetry.py: telemetry data collected 391 records in 0.29 seconds @2019-09-18 00:04:57.661354
Sep 18 02:04:56 /send_telemetry.py: unexpected result from
https://opnsense.emergingthreats.net/api/v1/event
(http_code 403)
Sep 18 02:04:20 /rule-updater.py: download failed for
https://rules.emergingthreatspro.com/0dc63aa1d02cbde3e02582fd0b34b9016243828a/suricata-4.0/etpro.rules.tar.gz
(http_code: 404)
Sep 18 02:04:13 /rule-updater.py: download failed for
https://rules.emergingthreatspro.com/0dc63aa1d02cbde3e02582fd0b34b9016243828a/suricata-4.0/etpro.rules.tar.gz
(http_code: 404)
Sep 18 02:04:00 /send_telemetry.py: telemetry data collected 383 records in 0.28 seconds @2019-09-18 00:03:58.658646
Sep 18 02:03:28 /rule-updater.py: download failed for
https://rules.emergingthreatspro.com/0dc63aa1d02cbde3e02582fd0b34b9016243828a/suricata-4.0/etpro.rules.tar.gz
(http_code: 404)
Sep 18 02:03:26 /send_telemetry.py: unexpected result from
https://opnsense.emergingthreats.net/api/v1/event
(http_code 403)
Sep 18 02:03:00 /send_telemetry.py: telemetry data collected 361 records in 0.31 seconds @2019-09-18 00:02:47.682815
The new rules are not being downloaded.
What could be the cause of this?
Any help would be much appreciated.
Cheers...
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: ETPro not working
«
Reply #1 on:
September 18, 2019, 07:39:37 am »
Typo in et_telemetry.token maybe?
Cheers,
Franco
Logged
crt333
Jr. Member
Posts: 56
Karma: 0
Re: ETPro not working
«
Reply #2 on:
September 18, 2019, 06:09:46 pm »
I use ET Telemetry, and my rules downloaded last night but the log is full of load errors, like the following (there are lots more lines). I also note that there hasn't been an event in 4 days (very unusual), which may be related to this.
Sep 18 09:00:51
suricata[96398]: [100133] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Credentials Sent to Suspicious TLD via HTTP GET"; flow:to_server,established; content:"GET"; http_method; content:"user"; http_uri; nocase; content:"pass"; http_uri; distance:0; nocase; fast_pattern; pcre:"/\.(?:ga|gq|cf|ml|gdn|tk|icu)$/W"; flowbits:set,ET.eduphish; metadata: former_category PHISHING; classtype:trojan-activity; sid:2025113; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_04, updated_at 2019_02_06;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-web_client.rules at line 145
Sep 18 09:00:51
suricata[96398]: [100133] <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Credentials Sent to Suspicious TLD via HTTP GET"; flow:to_server,established; content:"GET"; http_method; content:"user"; http_uri; nocase; content:"pass"; http_uri; distance:0; nocase; fast_pattern; pcre:"/\.(?:ga|gq|cf|ml|gdn|tk|icu)$/W"; flowbits:set,ET.eduphish; metadata: former_category PHISHING; classtype:trojan-activity; sid:2025113; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_04, updated_at 2019_02_06;)"
Logged
ictinc
Newbie
Posts: 5
Karma: 0
Re: ETPro not working
«
Reply #3 on:
September 18, 2019, 10:56:19 pm »
I just found out I used the wrong token. I was under the impression the correct one was the code presented at check-out. However I did receive a token by email.
However with that token I still received the same errors.
I did, however, have the "IDS Proofpoint ET Pro ruleset (needs a valid subscription)". Removing that seems to have solved the errors.
Is it correct that those rules are for another subscription?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
ETPro not working