ET Pro Telemetry rules not loading

Started by r111, July 07, 2021, 05:10:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 07, 2021, 05:10:30 PM
I'm trying to get the ET Pro Telemetry rules to load. I have enabled Intrusion Detection, IPS mode, Promiscuous mode, Hyperscan, and chosen the LAN and WAN interfaces (I understand this is how to do it when VLANs are in use). I have installed the os-etpro-telemetry plugin and entered my et_telemetry.token. Under "Download" I have selected all of the ET telemetry rules and enabled them.

When I press "Download & Update Rules" it spins for a bit and then stops. No rules appear under the Rules tab. The Suricata log file (Services > Intrusion Detection > Log File) shows this:

2021-07-07T10:46:34   suricata[83728]   [100170] <Notice> -- rule reload complete   
2021-07-07T10:46:34   suricata[83728]   [100170] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!   
2021-07-07T10:46:34   suricata[83728]   [100170] <Notice> -- rule reload starting

The system log (System > Log Files > General) shows the following:

2021-07-07T10:46:34   /rule-updater.py[4309]   version response for https://opnsense.emergingthreats.net/api/v1/ruleset/version : {"ruleset": "opnsense-rules.tar.gz", "version": "9790"}

So it looks like it's downloading something, but Suricata is not receiving any rules. Can anyone help me figure out what's going on here? Thanks.
July 07, 2021, 10:47:45 PM #1 Last Edit: July 07, 2021, 10:50:20 PM by r111
This is now resolved.

After experimenting around I tried subscribing to Snort and loading their rules instead. Those wouldn't load either. This suggested to me that it was not a problem with a particular ruleset or source of rulesets. In the end what helped was to go to the Download tab, check all the rulesets I had enabled and choose "Disable selected". I did this and many more rulesets suddenly showed up in the Download list, including both ET Telemetry and Snort rules. I selected some, then pressed "Save" and "Download & Update Rules", and now I have more rules than I know what to do with.

I guess something had become corrupted in the list of available rulesets. Disabling all of them seemed to fix that so I could start again.
December 19, 2022, 05:56:10 PM #2
Replying for future reference for the community:

The manual states that first the ET Telemetry Token needs to be registered, so paste that into the token field and hit "SAVE" first.
Only afterwards, the updated&download button
(verify that you've got the token in the code by command: grep 'et_telemetry.token'  /usr/local/etc/suricata/rule-updater.config). If after a page reload the token is not there, then there is an error (which you can confirm by the following command: configctl template reload OPNsense/IDS).

Mine showed OK and with the SAVE button it was good.



Print
Go Up Pages1
User actions