ETPro not working

Started by ictinc, September 18, 2019, 02:11:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 18, 2019, 02:11:13 AM
Hi there,
I've just installed the ETpro rulesets and received the telemetry token.

However when I view my log files I see the following:

Sep 18 02:09:00    /send_telemetry.py: telemetry data collected 416 records in 0.29 seconds @2019-09-18 00:08:58.037806
Sep 18 02:08:24    /send_telemetry.py: unexpected result from https://opnsense.emergingthreats.net/api/v1/event (http_code 403)
Sep 18 02:08:00    /send_telemetry.py: telemetry data collected 411 records in 0.29 seconds @2019-09-18 00:07:57.929836
Sep 18 02:07:37    /send_telemetry.py: unexpected result from https://opnsense.emergingthreats.net/api/v1/event (http_code 403)
Sep 18 02:07:00    /send_telemetry.py: telemetry data collected 404 records in 0.35 seconds @2019-09-18 00:06:57.830542
Sep 18 02:06:07    /send_telemetry.py: unexpected result from https://opnsense.emergingthreats.net/api/v1/event (http_code 403)
Sep 18 02:06:00    /send_telemetry.py: telemetry data collected 397 records in 0.29 seconds @2019-09-18 00:05:57.748519
Sep 18 02:05:56    /send_telemetry.py: unexpected result from https://opnsense.emergingthreats.net/api/v1/event (http_code 403)
Sep 18 02:05:00    /send_telemetry.py: telemetry data collected 391 records in 0.29 seconds @2019-09-18 00:04:57.661354
Sep 18 02:04:56    /send_telemetry.py: unexpected result from https://opnsense.emergingthreats.net/api/v1/event (http_code 403)
Sep 18 02:04:20    /rule-updater.py: download failed for https://rules.emergingthreatspro.com/0dc63aa1d02cbde3e02582fd0b34b9016243828a/suricata-4.0/etpro.rules.tar.gz (http_code: 404)
Sep 18 02:04:13    /rule-updater.py: download failed for https://rules.emergingthreatspro.com/0dc63aa1d02cbde3e02582fd0b34b9016243828a/suricata-4.0/etpro.rules.tar.gz (http_code: 404)
Sep 18 02:04:00    /send_telemetry.py: telemetry data collected 383 records in 0.28 seconds @2019-09-18 00:03:58.658646
Sep 18 02:03:28    /rule-updater.py: download failed for https://rules.emergingthreatspro.com/0dc63aa1d02cbde3e02582fd0b34b9016243828a/suricata-4.0/etpro.rules.tar.gz (http_code: 404)
Sep 18 02:03:26    /send_telemetry.py: unexpected result from https://opnsense.emergingthreats.net/api/v1/event (http_code 403)
Sep 18 02:03:00    /send_telemetry.py: telemetry data collected 361 records in 0.31 seconds @2019-09-18 00:02:47.682815

The new rules are not being downloaded.
What could be the cause of this?
Any help would be much appreciated.

Cheers...
September 18, 2019, 07:39:37 AM #1
Typo in et_telemetry.token maybe?


Cheers,
Franco
September 18, 2019, 06:09:46 PM #2
I use ET Telemetry, and my rules downloaded last night but the log is full of load errors, like the following (there are lots more lines). I also note that there hasn't been an event in 4 days (very unusual), which may be related to this.

Sep 18 09:00:51   
suricata[96398]: [100133] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Credentials Sent to Suspicious TLD via HTTP GET"; flow:to_server,established; content:"GET"; http_method; content:"user"; http_uri; nocase; content:"pass"; http_uri; distance:0; nocase; fast_pattern; pcre:"/\.(?:ga|gq|cf|ml|gdn|tk|icu)$/W"; flowbits:set,ET.eduphish; metadata: former_category PHISHING; classtype:trojan-activity; sid:2025113; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_04, updated_at 2019_02_06;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-web_client.rules at line 145


Sep 18 09:00:51   
suricata[96398]: [100133] <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Credentials Sent to Suspicious TLD via HTTP GET"; flow:to_server,established; content:"GET"; http_method; content:"user"; http_uri; nocase; content:"pass"; http_uri; distance:0; nocase; fast_pattern; pcre:"/\.(?:ga|gq|cf|ml|gdn|tk|icu)$/W"; flowbits:set,ET.eduphish; metadata: former_category PHISHING; classtype:trojan-activity; sid:2025113; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_12_04, updated_at 2019_02_06;)"
September 18, 2019, 10:56:19 PM #3
I just found out I used the wrong token. I was under the impression the correct one was the code presented at check-out. However I did receive a token by email.
However with that token I still received the same errors.

I did, however, have the "IDS Proofpoint ET Pro ruleset (needs a valid subscription)". Removing that seems to have solved the errors.
Is it correct that those rules are for another subscription?
Print
Go Up Pages1
User actions