ET telemetry rules - no auto updates

Started by yurka, May 21, 2020, 01:33:12 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 21, 2020, 01:33:12 PM
Hi,

I have 20.1.6 with et pro telemetry plugin. I got the correct token and entered it in IDS rules screen. Then I enabled all rules and activated schedule updates. The other rules do make the auto updates, but not the et pro rules. When I manually press download and update it works fine. Any ideas why it doesn't do auto updates?

Thx
May 21, 2020, 05:49:06 PM #1
Have you checked the logfile in the Intrusion Detection section?
What does it say?
May 21, 2020, 08:50:22 PM #2
System: Settings: Cron: Update and reload intrusion detection: Specify minutes, hours, days....

Example:

Minutes: 10
Hours: 7
Day of the month: 1-30
Months: 1-12
Days of the week: 1-7
May 21, 2020, 09:30:39 PM #3
That looks weird. Is that really what you get via: Services -> Intrusion Detection -> Log File ?

Mine looks like this:

Code Select

2020-05-21T21:10:37 suricata: [100149] <Notice> -- rule reload complete
2020-05-21T21:10:03 suricata: [100149] <Notice> -- rule reload starting
2020-05-21T20:10:37 suricata: [100149] <Notice> -- rule reload complete
2020-05-21T20:10:03 suricata: [100149] <Notice> -- rule reload starting


May 22, 2020, 03:33:32 AM #4
Hi,

Log seems fine:
Code Select
2020-05-21T12:02:12 suricata: [100585] <Notice> -- rule reload complete
2020-05-21T12:00:13 suricata: [100585] <Notice> -- rule reload starting
2020-05-21T09:10:21 suricata: [100585] <Notice> -- rule reload complete
2020-05-21T09:06:20 suricata: [100585] <Notice> -- rule reload starting
2020-05-20T08:40:18 suricata: [100585] <Notice> -- rule reload complete
2020-05-20T08:38:52 suricata: [100585] <Notice> -- rule reload starting
2020-05-19T06:04:20 suricata: [100585] <Notice> -- rule reload complete
2020-05-19T06:03:00 suricata: [100585] <Notice> -- rule reload starting
2020-05-18T06:46:34 suricata: [100585] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
2020-05-18T06:45:10 suricata: [100585] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-05-18T06:45:10 suricata: [101384] <Notice> -- This is Suricata version 4.1.8 RELEASE
2020-05-18T06:45:10 suricata: [100167] <Notice> -- Stats for 'bce1+': pkts: 244078, drop: 0 (0.00%), invalid chksum: 0
2020-05-18T06:45:10 suricata: [100167] <Notice> -- Stats for 'bce1': pkts: 344785, drop: 0 (0.00%), invalid chksum: 11
2020-05-18T06:45:09 suricata: [100167] <Notice> -- Signal Received. Stopping engine.
2020-05-18T06:35:37 suricata: [100167] <Notice> -- rule reload complete
2020-05-18T06:34:51 suricata: [100167] <Notice> -- rule reload starting
2020-05-18T06:34:37 suricata: [100167] <Notice> -- rule reload complete
2020-05-18T06:34:16 suricata: [100167] <Notice> -- rule reload starting
2020-05-18T06:34:08 suricata: [100167] <Notice> -- rule reload complete
2020-05-18T06:33:26 suricata: [100167] <Notice> -- rule reload starting

For the cron, I set it for each 6 hours.
May 22, 2020, 08:22:00 PM #5
The rules are officially updated once a day from Monday to Friday between 6pm and 10pm. Therefore it is sufficient to update them once a day. If it is done more often the log indicates that the rules have been restarted but nothing has really been downloaded or updated. You can see when they are updated at the bottom of the following link:

https://rules.emergingthreats.net/changelogs/
May 29, 2020, 11:34:20 AM #6 Last Edit: May 29, 2020, 11:35:59 AM by N0_Klu3
Same with me. I have a fresh OPNSense setup.
IPS Configured, and cron job for rules, and nada, its not updating.

It does look like its working in the logs:
2020-05-26T07:01:25   suricata: [100485] <Notice> -- rule reload complete
2020-05-26T07:01:17    suricata: [100485] <Notice> -- rule reload starting

But if I look at Download tab all the rules havent been updated since the 24th which is when I set it up.
May 31, 2020, 03:06:28 PM #7 Last Edit: May 31, 2020, 07:47:19 PM by yurka
@yeraycito - THANKS!!!!!
I don't see any reason why it started to work, but it did.
I changed the Services: Intrusion Detection: Administration:Schedule from:
Minutes:0,Hours:0/6,Day of the month:*,Months:*,Days of the week:* (what basically says update at 6:00,12:00,18:00,00:00 hours every day)
TO
Minutes:11,Hours:6,Day of the month:1-30,Months:1-12,Days of the week:1-7 (update at 6:11AM each day)
I played with the timing, going back and forward. Each time when I set my initial times it stops the updates, then I update rules manually and set second timer all working fine.

@N0_Klu3: Try first see that when you press "Download&Update Rules" it actually update all your Enabled rules correctly, then change the scheduler to what I wrote before. Give it a day or two to run.
May 31, 2020, 07:36:58 PM #8
When we entered Services -> Intrusion Detection -> Log File we see this:

2020-05-22T11:10:12   suricata: [100585] <Notice> -- rule reload complete
2020-05-22T11:06:13   suricata: [100585] <Notice> -- rule reload starting
2020-05-21T11:10:21   suricata: [100585] <Notice> -- rule reload complete
2020-05-21T11:06:20   suricata: [100585] <Notice> -- rule reload starting

This means that the rules have been reset, but sometimes new rules will have been downloaded and sometimes not. To know when new rules have been downloaded, you must enter the Opnsense Dashboard and enable the Proofpoint widget (Telemetry status)
Print
Go Up Pages1
User actions