Two different Firewalls/Two different lists of ET Open rulesets

bhjitsense

I manage two firewalls in different locations. They both have Suricata running on them with the ET Open Rules enabled for download. However, between the two I see different ET Open rulesets available under Interfaces > WAN Categories > ET Open Rules. For example, I see emerging-adware_pup.rules and emerging-coinminer.rules available to enable on one firewall, but not the other. I updated Suricata to latest version, forced download of rules, and disabled/re-enabeld the ET Open option. But I can't seem to get the lists to match. Any ideas?

johnpoz

And what version of pfsense are you running.. I see difference between version 4 and version 5 of Suricata

So those rules are not listed for 4..
https://rules.emergingthreats.net/open/suricata-4.0/rules/

But they are on 5
https://rules.emergingthreats.net/open/suricata-5.0/rules/

https://forum.netgate.com/topic/151045/suricata-4-1-7-package-update-release-notes

You can see from that that version 2.4.4 will be 4.x version of Suricata while the 2.4.5 and higher will be on version 5. So that would explain your difference.

bhjitsense

@johnpoz Yes, one is running 2.4.5, and the one missing some rules is running 2.4.4. However, they both are running Suricata 5.0.2_2

johnpoz

Well I don't have a 2.4.4 to test with currently... Guess I could fire one up virtually..

But lets see if @bmeeks is around - he will know for sure ;) What could be going on..

Guess off the top of the head would be if you updated the package or if in the package where you point for rules? Your 2.4.4 is pointing to the 4 rules - which do not have those that you listed..

bhjitsense

@johnpoz I did update the package while troubleshooting the issue. I usually try to keep them on the latest versions. Should I not have updated this to v5 while running 2.4.4?

johnpoz

I don't really know, if it was listed as available in the package manager I would guess it would work... But bmeeks is the guy that would know for sure..

But what I can tell you is the 4 rules don't have those - so that would explain why you don't see them if your pulling the 4 rules..

bmeeks

There is a difference in the downloaded rules based on the version of the underlying Suricata binary. The PHP code detects the binary version and downloads the appropriate rules archive for the installed binary.

You need both firewalls updated to pfSense-2.4.5 BEFORE you update the Suricata package. If one firewall is still 2.4.4, then its pkg configuration will likely be pointing to the older Suricata binary.

If you updated the Suricata package on the 2.4.4 firewall, chances are you have a semi-corrupted installation depending on exactly when you upgraded Suricata. If you did that, I suggest completely removing the Suricata package from the 2.4.4 firewall and then upgrading to pfSense 2.4.5. After that upgrade is complete, reinstall Suricata. You won't lose any configuration data by doing those steps. Your existing configuration will be maintained.

johnpoz

Told you he would know ;)

bhjitsense

@bmeeks Understood. Thanks!

Galifatorss

This post is deleted!