Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two different Firewalls/Two different lists of ET Open rulesets

    Scheduled Pinned Locked Moved IDS/IPS
    10 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bhjitsense
      last edited by bhjitsense

      I manage two firewalls in different locations. They both have Suricata running on them with the ET Open Rules enabled for download. However, between the two I see different ET Open rulesets available under Interfaces > WAN Categories > ET Open Rules. For example, I see emerging-adware_pup.rules and emerging-coinminer.rules available to enable on one firewall, but not the other. I updated Suricata to latest version, forced download of rules, and disabled/re-enabeld the ET Open option. But I can't seem to get the lists to match. Any ideas?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        And what version of pfsense are you running.. I see difference between version 4 and version 5 of Suricata

        So those rules are not listed for 4..
        https://rules.emergingthreats.net/open/suricata-4.0/rules/

        But they are on 5
        https://rules.emergingthreats.net/open/suricata-5.0/rules/

        https://forum.netgate.com/topic/151045/suricata-4-1-7-package-update-release-notes

        You can see from that that version 2.4.4 will be 4.x version of Suricata while the 2.4.5 and higher will be on version 5. So that would explain your difference.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • B
          bhjitsense
          last edited by

          @johnpoz Yes, one is running 2.4.5, and the one missing some rules is running 2.4.4. However, they both are running Suricata 5.0.2_2

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Well I don't have a 2.4.4 to test with currently... Guess I could fire one up virtually..

            But lets see if @bmeeks is around - he will know for sure ;) What could be going on..

            Guess off the top of the head would be if you updated the package or if in the package where you point for rules? Your 2.4.4 is pointing to the 4 rules - which do not have those that you listed..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • B
              bhjitsense
              last edited by

              @johnpoz I did update the package while troubleshooting the issue. I usually try to keep them on the latest versions. Should I not have updated this to v5 while running 2.4.4?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                I don't really know, if it was listed as available in the package manager I would guess it would work... But bmeeks is the guy that would know for sure..

                But what I can tell you is the 4 rules don't have those - so that would explain why you don't see them if your pulling the 4 rules..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  There is a difference in the downloaded rules based on the version of the underlying Suricata binary. The PHP code detects the binary version and downloads the appropriate rules archive for the installed binary.

                  You need both firewalls updated to pfSense-2.4.5 BEFORE you update the Suricata package. If one firewall is still 2.4.4, then its pkg configuration will likely be pointing to the older Suricata binary.

                  If you updated the Suricata package on the 2.4.4 firewall, chances are you have a semi-corrupted installation depending on exactly when you upgraded Suricata. If you did that, I suggest completely removing the Suricata package from the 2.4.4 firewall and then upgrading to pfSense 2.4.5. After that upgrade is complete, reinstall Suricata. You won't lose any configuration data by doing those steps. Your existing configuration will be maintained.

                  B 1 Reply Last reply Reply Quote 1
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Told you he would know ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • B
                      bhjitsense @bmeeks
                      last edited by

                      @bmeeks Understood. Thanks!

                      1 Reply Last reply Reply Quote 0
                      • GalifatorssG
                        Galifatorss
                        last edited by Galifatorss

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.