Empty rules with ET Pro Telemetry

Started by RayonRa, February 23, 2025, 10:07:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 23, 2025, 10:07:07 PM
Hi,
i use ET Pro Telemetry.
Watching around i didn't see log from Dshield and 3coresec.
I enter in ssh and look for /usr/local/etc/suricata/opnsense.rules/dshield.rules

this is the content:
Code Select
#@opnsense_download_hash:f4094b88f662f07551c66c5ae72c6fbf
so i delete the file and redownload, same result.

I notice that other rules have the same issue, for example 3coresec.rules

All the rules big 57 byte in the list below have the problem.

Thanks.

Code Select
-rw-r-----  1 root wheel       57 Feb 23 21:26 3coresec.rules
-rw-r-----  1 root wheel       97 Feb 23 21:26 OPNsense.rules
-rw-r-----  1 root wheel     1028 Feb 23 21:26 abuse.ch.feodotracker.rules
-rw-r-----  1 root wheel  2042544 Feb 23 21:26 abuse.ch.sslblacklist.rules
-rw-r-----  1 root wheel      516 Feb 23 21:26 abuse.ch.sslipblacklist.rules
-rw-r-----  1 root wheel 31596216 Feb 23 21:26 abuse.ch.threatfox.rules
-rw-r-----  1 root wheel 18809297 Feb 23 21:26 abuse.ch.urlhaus.rules
-rw-r-----  1 root wheel     2161 Feb 23 21:26 botcc.portgrouped.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 botcc.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 ciarmy.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 compromised.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 drop.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 dshield.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-activex.rules
-rw-r-----  1 root wheel   362964 Feb 23 21:26 emerging-adware_pup.rules
-rw-r-----  1 root wheel    76761 Feb 23 21:26 emerging-attack_response.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-botcc_portgrouped.rules
-rw-r-----  1 root wheel     7585 Feb 23 21:26 emerging-chat.rules
-rw-r-----  1 root wheel    14168 Feb 23 21:26 emerging-coinminer.rules
-rw-r-----  1 root wheel     9020 Feb 23 21:26 emerging-current_events.rules
-rw-r-----  1 root wheel    47191 Feb 23 21:26 emerging-deleted.rules
-rw-r-----  1 root wheel     9497 Feb 23 21:26 emerging-dns.rules
-rw-r-----  1 root wheel    12140 Feb 23 21:26 emerging-dos.rules
-rw-r-----  1 root wheel   292139 Feb 23 21:26 emerging-exploit.rules
-rw-r-----  1 root wheel   428329 Feb 23 21:26 emerging-exploit_kit.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-ftp.rules
-rw-r-----  1 root wheel     6959 Feb 23 21:26 emerging-games.rules
-rw-r-----  1 root wheel   116749 Feb 23 21:26 emerging-hunting.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-icmp.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-icmp_info.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-imap.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-inappropriate.rules
-rw-r-----  1 root wheel  2184956 Feb 23 21:26 emerging-info.rules
-rw-r-----  1 root wheel     3184 Feb 23 21:26 emerging-ja3.rules
-rw-r-----  1 root wheel  7370281 Feb 23 21:26 emerging-malware.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-misc.rules
-rw-r-----  1 root wheel   627407 Feb 23 21:26 emerging-mobile_malware.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-netbios.rules
-rw-r-----  1 root wheel    16148 Feb 23 21:26 emerging-p2p.rules
-rw-r-----  1 root wheel   779135 Feb 23 21:26 emerging-phishing.rules
-rw-r-----  1 root wheel   430212 Feb 23 21:26 emerging-policy.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-pop3.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-rpc.rules
-rw-r-----  1 root wheel     4724 Feb 23 21:26 emerging-scada.rules
-rw-r-----  1 root wheel    33564 Feb 23 21:26 emerging-scan.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-shellcode.rules
-rw-r-----  1 root wheel     2937 Feb 23 21:26 emerging-smtp.rules
-rw-r-----  1 root wheel     3673 Feb 23 21:26 emerging-snmp.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-sql.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-telnet.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 emerging-tftp.rules
-rw-r-----  1 root wheel    29580 Feb 23 21:26 emerging-user_agents.rules
-rw-r-----  1 root wheel     4331 Feb 23 21:26 emerging-voip.rules
-rw-r-----  1 root wheel    46370 Feb 23 21:26 emerging-web_client.rules
-rw-r-----  1 root wheel    40707 Feb 23 21:26 emerging-web_server.rules
-rw-r-----  1 root wheel   229317 Feb 23 21:26 emerging-web_specific_apps.rules
-rw-r-----  1 root wheel     5706 Feb 23 21:26 emerging-worm.rules
-rw-r-----  1 root wheel    21290 Feb 23 21:26 threatview_CS_c2.rules
-rw-r-----  1 root wheel       57 Feb 23 21:26 tor.rules
February 24, 2025, 01:42:11 AM #1
ET Pro Telemetry is a paid license, do you have a valid token issued?

You can install the plugin, download the rulesets, but if you don't have a valid subscription token you won't get very far.
HW: Protectli V1410 - Intel N5105 - 8 GB - 500 GB SSD - Inline IPS - pFsense 
HW: Protectli VP6630 - Intel i3-1215U - 64 GB - 1 TB SD - Outside firewall - OPNsense - Zenarmor Free - IPS
HW: Protectli VP6650 - Intel i5-1235U - 32 GB - 1 TB SSD - Inside firewall - OPNsense - Zenarmor Home - IDS
February 24, 2025, 03:01:01 PM #2
Quote from: Deathmage85 on February 24, 2025, 01:42:11 AMET Pro Telemetry is a paid license, do you have a valid token issued?

You can install the plugin, download the rulesets, but if you don't have a valid subscription token you won't get very far.
Yes i have a valid token.
And 3COREsec is not part of ET.
February 26, 2025, 07:10:39 PM #3
As a word of caution, please make sure you have a backup of your firewall and a management interface defined before messing around with Suricata in CLI.

A few weeks ago, my own Suricata stopped pulling down rulesets. Thankfully, I was paranoid and took backups daily. When I went to fix it via CLI, it nuked the Suricata IPS config file, and then the firewall locked me out. Ultimately, I had to reinstall and recover. It only took me about 25 minutes, but still.

Side of the edge of caution if you mess around in CLI against Suricata's rulesets.
HW: Protectli V1410 - Intel N5105 - 8 GB - 500 GB SSD - Inline IPS - pFsense 
HW: Protectli VP6630 - Intel i3-1215U - 64 GB - 1 TB SD - Outside firewall - OPNsense - Zenarmor Free - IPS
HW: Protectli VP6650 - Intel i5-1235U - 32 GB - 1 TB SSD - Inside firewall - OPNsense - Zenarmor Home - IDS
February 27, 2025, 07:06:13 PM #4
Quote from: Deathmage85 on February 26, 2025, 07:10:39 PMAs a word of caution, please make sure you have a backup of your firewall and a management interface defined before messing around with Suricata in CLI.

A few weeks ago, my own Suricata stopped pulling down rulesets. Thankfully, I was paranoid and took backups daily. When I went to fix it via CLI, it nuked the Suricata IPS config file, and then the firewall locked me out. Ultimately, I had to reinstall and recover. It only took me about 25 minutes, but still.

Side of the edge of caution if you mess around in CLI against Suricata's rulesets.

Thanks.
But don't worry.
I have night config backup and I can simply connect via console to my OPNsense and fix my mistakes without reinstall.
In 3 years i reinstalled only once my OPNsense, because i changed hardware.

Anyways no one have the same issue?
Please give me some feedbacks, even if you don't have the issue.
Thanks.
February 28, 2025, 06:42:23 AM #5
After reading your post I checked and found the same problem Et/compromised, dshield, drop, and can't remember what others were not there.
I tried reinstalling the plugin and downloading the ET pro telemetry again to no avail. It also made me wonder when you have the pro installed why in the plugins they have the option to download the open to run along side the pro. If all the rulesets were in the pro why would you need to have the open alongside it.
March 02, 2025, 08:07:58 PM #6
Hi,
i found on emergingthreats forum, someone has (looks like) the same issue.
https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/1
I hope this help.
March 03, 2025, 10:33:41 PM #7
Code Select
[quote author=RayonRa link=msg=230319 date=1740344827]
Hi,
i use ET Pro Telemetry.
Watching around i didn't see log from Dshield and 3coresec.
[/quote]

3coresec recently discontinued the Blacklist from which their ET Open ruleset was built.  As such we have discontinued offering that for download.

The other open source sets included in ET Open are functioning normally:

https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/drop.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/dshield.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/compromised-ips.txt


March 04, 2025, 12:24:55 AM #8
Quote from: corran22 on March 03, 2025, 10:33:41 PM3coresec recently discontinued the Blacklist from which their ET Open ruleset was built.  As such we have discontinued offering that for download.

The other open source sets included in ET Open are functioning normally:

https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/drop.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/dshield.rules
https://rules.emergingthreatspro.com/open/suricata-7.0.3/rules/compromised-ips.txt


Oh, bad news from 3coresec. :(

About this issue.
With ETPro enabled a lot of rulesets are empty (all the ruleset big 57 byte in my first post),
also the rulesets that on ET Open work just fine (as you said):
Code Select
-rw-r-----  1 root wheel       57 Mar  4 00:00 compromised.rules
-rw-r-----  1 root wheel       57 Mar  4 00:00 drop.rules
-rw-r-----  1 root wheel       57 Mar  4 00:00 dshield.rules

On emergingthreats' forum:
https://community.emergingthreats.net/t/empty-rules-with-et-pro-telemetry-opnsense/2490/4


March 20, 2025, 08:51:44 PM #9
Print
Go Up Pages1
User actions