|
|
|
@ -148,7 +148,7 @@ ET Pro Telemetry edition.
|
|
|
|
|
|
|
|
|
|
This paragraph describes the attributes from the
|
|
|
|
|
`eve.json <https://suricata.readthedocs.io/en/suricata-4.1.0/output/eve/eve-json-format.html>`__ log file
|
|
|
|
|
that are collected to improve threat detection.
|
|
|
|
|
that are collected to improve threat detection and the sensor health data to evaluate if the data is usable.
|
|
|
|
|
|
|
|
|
|
An example of an event is detailed below.
|
|
|
|
|
|
|
|
|
@ -209,3 +209,38 @@ app_proto Application protocol (if known)
|
|
|
|
|
The plugin comes with a small script to print eve output yourself, it's called **dump_data.py**, when used with the **-p**
|
|
|
|
|
parameter, it will output the data as it will be sent to Proofpoint.
|
|
|
|
|
All script code can be found in the following directory */usr/local/opnsense/scripts/ids_telemetry/*
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sensor health status collected and send as keep-alive:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=======================================================================================================================
|
|
|
|
|
|
|
|
|
|
======================================== ===========================================================================================
|
|
|
|
|
Unique Sensor ID Unique sensor identification, helps identifying messages from the same system,
|
|
|
|
|
without knowing who is the operator.
|
|
|
|
|
OPNSense Version Current installed software version. This will help both for troubleshooting purposes
|
|
|
|
|
(if a bad update is pushed and Proofpoint notices that deployments running version
|
|
|
|
|
X have an issue) as well for planning, to understand how new features and
|
|
|
|
|
functionality would be adopted.
|
|
|
|
|
Suricata Version Suricata version installed.
|
|
|
|
|
Suricata status Reports if the sensor is active, when not active, no detection/telemetry can be provided.
|
|
|
|
|
System Time If the system time is not correct, it will impact the timestamps of messages,
|
|
|
|
|
so knowing what time the system thinks it has will help reconcile the actual time.
|
|
|
|
|
Active Ruleset Version The active ruleset version should match what is published.
|
|
|
|
|
If sensors do not have the active version then they either haven’t configured
|
|
|
|
|
scheduled updates or there is another issue.
|
|
|
|
|
This will help Proofpoint to identify if there are widespread issues with updates.
|
|
|
|
|
Number of rules enabled Helps to gain a better understanding about the number of rules people use on top of
|
|
|
|
|
the ones provided by Proofpoint.
|
|
|
|
|
Number of ETPro Telemetry Rules enabled Because users can control what rules they enable,
|
|
|
|
|
they may not want to enable all ETPro Telemetry rules,
|
|
|
|
|
if this is the case it would help Proofpoint understand how the rules are being
|
|
|
|
|
leveraged so they can better write / tune rules
|
|
|
|
|
Mode (IDS or IPS) This is helpful to understand how the system is deployed and is useful to
|
|
|
|
|
development purposes to determine what rules we should be focusing on based
|
|
|
|
|
on how our customers are using them.
|
|
|
|
|
Suricata Log Stats For QA purposes, some fields with general stats are collected
|
|
|
|
|
from /var/log/suricata/stats.log (capture.kernel_packets, decoder.pkts, decoder.bytes,
|
|
|
|
|
decoder.ipv4, decoder.ipv6, flow.tcp, flow.udp, detect.alert)
|
|
|
|
|
======================================== ===========================================================================================
|
|
|
|
|