[SOLVED] "os-intrusion-detection-content-et-open" plugin - rules not loading?

[Patrick M. Hausen]

Hi all,

when one activates Suricata for the first time with the OPNsense provided "open" rulesets, clicks on "Download & Update Rules" the result looks like in screenshot #1.

Installing the ET Pro Telemetry plugin and configuring a valid et_telemetry.token results in screenshot #2. So far so good.

Now, if I understood the documentation correctly, there's the "os-intrusion-detection-content-et-open" plugin containing some rulesets that are empty in the "telemetry" rulesets but do contain valuable rules in the "open" rulesets. And the plugin is supposed to add these. Correct?

The problem is that these rules are never downloaded according to the status display in the UI. See screenshot #3, please.

What am I doing wrong?

Thanks,
Patrick

[chemlud]

hmmm, have you checked the tick box of the rules you are interested in, pressed "Enable selected" and pressed afterwards "Download and Update rules"?

[Patrick M. Hausen]

Of course. See screenshot  ;) They are all enabled. Whenever I hit the "Download & Update" button the timestamps for the abuse.ch or the telemetry rules are updated. The display for the open rules does not change.

[chemlud]

hmmm... what does the proofpoint Dashboard widget give you as subscription status?

https://docs.opnsense.org/manual/etpro_telemetry.html

"If your sensor will start sending events and heartbeats, it should switch to active after a certain amount of time."

[Patrick M. Hausen]

*sigh*

Did you look at my screenshots and read my first posting?

The subscription rules load just fine. There is an additional plugin supposed to supply rules from the "open" ruleset that are missing in the "telemetry" ruleset. That plugin was introduced in April 2021:

https://github.com/opnsense/plugins/issues/2329

It is only these additional rules that should be provided by the "os-intrusion-detection-content-et-open" plugin (i did put that in the thread title) that do not load. At least not according to the rules status display in the UI.

I'll attach the widget anyway, so you see that my subscription is alive and well. And to repeat: all subscription rules are loaded and updating!

All of this information is in my first post.

Kind regards,
Patrick

[Patrick M. Hausen]

I opened an issue on Github: https://github.com/opnsense/plugins/issues/2685

[FullyBorked]

Are you sure there are any extra rules that aren't included in the ET pro?  Maybe they won't enable because they are already enabled in ET pro?  I see "complementary subset" that makes me think the rules would also be included in the larger ET pro master set. 

"IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition"

[Patrick M. Hausen]

See the discussion in the github issue. I don't know if the rules are supposed to work along side the telemetry ones. From the description of the plugin I read that the plugin was created specifically for this use case. So, yes, they should. I am irritated by the "not installed" display in the UI and I want to find out what is going on.

Patrick

[Patrick M. Hausen]

Solved: https://github.com/opnsense/plugins/commit/5f72f88d60c6d34f0e68e6f600e6fb968aeab94b