English Forums > Intrusion Detection and Prevention

ET Pro telemetry for testing?

(1/1)

Greg_E:
I'm setting up a test box to try and get everything ready for production. I'd like to set up Suricata with the ET Pro telemetry version, but I found something in the agreement that will probably stop this from working.

It says that if you don't send any telemetry back within a certain time frame, your token will be disabled and the rules will fall back to ET Open. In testing I can almost guarantee that I will not report often enough to keep this active. #5 here https://shop.opnsense.com/etpro-telemetry-faq/

So is there a way to have this working for testing since ET Pro and ET Open are supposed to be fairly different in included rules? The comparison is here: https://www.proofpoint.com/sites/default/files/data-sheets/pfpt-us-ds-etpro-vs-etopen-ruleset.pdf

xpendable:
I don't think in the current setup the rules would actually "fallback" to the open rule sets. These end up being 2 different rule sets. Within the GUI they will be displayed as "ET open/tor" and "ET telemtry/tor" respectively for example.

Also the ET Telemtry ruleset does not contain all the ET Pro nor all the ET Open rulesets as far as I can tell. Currently if using the ET Telemtry rulesets it's best to also enable the corresponding ET Open rulesets to get full protection. You just have to live with the duplicate signature errors within the log file.

https://forum.opnsense.org/index.php?topic=38976.0

Navigation

[0] Message Index