Empty rules with ET Pro Telemetry Opnsense

Feedback & Support
1

Hello: I am running OPNsense 25.1.2 with suricata 7.0.8_2. I installed the ET Pro Telemetry plugin and input my token. When I selected and downloaded the rules I found that some of the rulesets were empty ( Et/compromised, Et/drop, and Et/dshield for sure. I can’t remember if there were any others. I tried to redownload the rules and remove and reinstall the ET Pro Telemetry plugin but those rules remained empty. Has anyone else had this problem and is there a fix for this.

2

Hi,
Same issue here.
OPNsense with ETPro-Telemetry and some ruleset are empty.
Seems that the issue starts (for me) 2-3 weeks ago.
The empty ruleset appear in this way:
Example:
/usr/local/etc/suricata/opnsense.rules/dshield.rules

#@opnsense_download_hash:5808b7725cadca60de2ba2de7b86c548

and nothing else.

You can also check my post on OPNsense forum.
https://forum.opnsense.org/index.php?topic=46015.0

3

Yes. I read your post on the opnsense forum and replied to it. I checked after reading your post and found the same. I had never seen that before when I was using ETPro Telemetry. I’m surprised that nobody else has chimed in on this.

4

Greetings all - we’ll take a look here. These open source rules are created programmatically from outside sources. We’re investigating.

1 Like
5

Thanks for the reply. Will be awaiting your response when you have more information.

6

Hi @rgonzalez ,
any news about this issue?
Thanks.
Regards.

7

We’re still investigating as there doesn’t seem to be anything comprehensively ‘wrong’ on our end. Can you detail the ET Open rulesets which are arriving blank?

8

Thanks for getting back. Its not the ET Open rules. They are all fine. Its the ET Pro Telemetry rulesets. ET compromised, ET drop, ET dshield for sure. I don’t remember if there were any others.

9

@rgonzalez , i can confirm that ET compromised, ET drop, ET dshield are empty.

1 Like
10

Is any news on this issue yet.

1 Like
11

What version of suricata are you running? We’re not seeing where our rule curation process should push out the programmatic ET Open rules from third parties (drop.rules, dshield.rules, ciarmy.rules) in our analysis.

12

Suricata 7.0.8_2
I don’t think that the problem is suricata.

IMPORTANT NOTE:
I decide to try to understand the problem by myself:
I used curl command:

curl -H "Authorization: Bearer <mytoken>" https://opnsense.emergingthreats.net/api/v1/ruleset/engine/suricata/5 --output rules.tar.gz

I extracted the rules.
AND

-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 botcc.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 ciarmy.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 3,2K 19 mar 05.10 classification.config
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 compromised.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 drop.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 dshield.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-3coresec.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-activex.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 351K 19 mar 05.16 emerging-adware_pup.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x  74K 19 mar 05.16 emerging-attack_response.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-botcc_portgrouped.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 7,6K 19 mar 05.16 emerging-chat.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x  14K 19 mar 05.16 emerging-coinminer.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 9,0K 19 mar 05.16 emerging-current_events.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x  46K 19 mar 05.16 emerging-deleted.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 9,4K 19 mar 05.16 emerging-dns.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x  13K 19 mar 05.16 emerging-dos.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 489K 19 mar 05.16 emerging-exploit_kit.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 293K 19 mar 05.16 emerging-exploit.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-ftp.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 6,9K 19 mar 05.16 emerging-games.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 113K 19 mar 05.16 emerging-hunting.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-icmp_info.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-icmp.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-imap.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-inappropriate.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 2,2M 19 mar 05.16 emerging-info.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 3,3K 19 mar 05.16 emerging-ja3.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 6,9M 19 mar 05.16 emerging-malware.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-misc.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 612K 19 mar 05.16 emerging-mobile_malware.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-netbios.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x  16K 19 mar 05.16 emerging-p2p.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 581K 19 mar 05.16 emerging-phishing.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 419K 19 mar 05.16 emerging-policy.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-pop3.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-rpc.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 4,8K 19 mar 05.16 emerging-scada.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-scada_special.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x  33K 19 mar 05.16 emerging-scan.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-shellcode.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 3,0K 19 mar 05.16 emerging-smtp.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 4,7K 19 mar 05.16 emerging-snmp.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-sql.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-telnet.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 emerging-tftp.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x  30K 19 mar 05.16 emerging-user_agents.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 4,4K 19 mar 05.16 emerging-voip.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x  43K 19 mar 05.16 emerging-web_client.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x  40K 19 mar 05.16 emerging-web_server.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 225K 19 mar 05.16 emerging-web_specific_apps.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 5,7K 19 mar 05.16 emerging-worm.rules
-rw-r--r-- 1 l0rdg3x l0rdg3x 173K 19 mar 05.16 telemetry_sids.txt
-rw-r--r-- 1 l0rdg3x l0rdg3x    0 19 mar 05.16 tor.rules

AND
ET compromised, ET drop, ET dshield are completely empty.
So please fix.
The rules are empty already in the tar.gz on your server.
Thanks!

PS:
@Freewheelin if you can do the same test, please. Thanks!

Also other rules are empty. Need to compare with ET Open.

13

I’m running opnsense 25.1.3 and suricata 7.0.8_2.
I did the same test and got the exact output from the extracted rules that you have with the same empty rulesets as you.

1 Like
14

Hello all,

I’m a member of the team that handles delivery of the ET Telemetry ruleset. The empty files have been a part of the ET Telemetry ruleset for quite a while, and are a result of the curation process. The current curation process creates a file for every possible category, but during curation it is likely that some categories remain empty.

To verify this, I looked at archived Telemetry rulesets going back at least one year, and I see similar empty rule files. So this is not a new phenomenon. I can understand how, as an end user, this seems strange or problematic, but this is not an error/problem with the ruleset.

15

So why would those rulesets remain empty in ET Pro Telemetry but yet the categories still exist, when they are available ET Open. It doesn’t make sense to me.

1 Like
16

In this case on OPNsense (and probably all platform),
all the empty rulesets of ETPro Telemetry overwrite ET Open rulesets,
obtaining empty rulesets.
Which is worse than having the only ETOpen.
Seriusly. This don’t make any sense.

In this case delete the ETPro version of those empty rulesets in OPNsense plugin,
so OPNsense downloads the ETOpen version.

Or (maybe better) copy the content of ETOpen in this ETPro rulesets?!?

Thanks

17

RayonRa: In plugins you can install os-intrusion-detection-content-et-open DS Proofpoint full ET open ruleset complementary subset for ET Pro Telemetry edition on top of the ET Telemetry Pro to get the ET Open rules back and use them for the ones that are empty in the ET Pro. Not the best solution, but that is what I did. They must have known some of the rulesets are empty or why else would they include an ET Open complementary subset for ET Pro.

1 Like
18

And for someone that can’t or don’t know how to check if a ruleset is empty or not (via SSH for example).
How can choose an ETOpen ruleset over ETPro one?

19

You will see both sets in intrusion detection downloads. Choose the ET pro sets that you want to use that yo know have rules in them and then choose the ET Open sets that are missing from Pro, Such as compromised and drop eg.

20

Yeah, i know because i see in ssh what rulesets are empty.
How about people that don’t know that?
I’m looking for a solution for everyone. Not only for me.
Thanks.

1 Like