Frequently Asked Questions ETPRO
Is your question not in the list below?
Send us an email at email@example.com
How is ETPro licensed, how many do I need?
- ETPro requires that one license be purchased for each instance of Suricata or Snort, be it a physical, virtual, or containerized instance, regardless of the size of a sensor.
- The license is an annual license which includes email product support.
I’m an MSSP or OEM who wishes to leverage ETPro in a product or service for my customers, can I use the standard Enterprise license?
- No, there is a separate license for MSSP and OEM use cases where ETPro is being used in products and/or services that is not for the contracted party.
- Please contact firstname.lastname@example.org or information on procuring a non-Enterprise license
Can I purchase ETPro from OPNsense but use it in my own Snort/Suricata build or in another product?
- Yes, you can use ETPro in OPNsense, your own Snort/Suricata build or in other platforms that support Snort/Suricata.
Can I use the same OINK code for multiple sensors?
- By default, we prefer to reuse the same OINK code for multiple sensors. This happens automatically for renewals, but you are given the option to reuse the same OINK code when adding additional licenses mid-year.
If I need to deploy additional sensors later in the year, can I add additional licenses? Will it use the same code?
- Yes, you can add additional licenses. If you are adding licenses, we will co-terminate them with the other licenses which you are adding to so that you can use the same OINK code and to simplify renewal the following year.
I’ve previously purchased ETPro through a different vendor, can I renew or buy more through OPNsense?
- Yes, so long as you order was processed by Proofpoint you can renew or purchase additional licenses from OPNsense. You will need to provide some additional information for your first purchase.
What’s the difference between the ETPro Ruleset and the Telemetry Edition?
- The ETPro Telemetry Edition is free and contains a tuned copy of the ETPro ruleset, but also requires you to provide attacker Telemetry via the OPNsense Plugin.
- The ETPro Ruleset provides the full ETPro ruleset with all rules (tuned and untuned) and does not have any requirement or functionality to provide telemetry.
Do I need to license Snort or Suricata separately?
- No, the license is the same for Snort or Suricata, you simply need to make sure you have the correct number of licenses. For instance, if you have one instance of Snort and one instance of Suricata you would need 2 licenses, two instances of Snort would be two licenses, four instances of Suricata and one instance of Snort would be 5 licenses etc.
What’s the difference between ETOpen and ETPro
- ETOpen and ETPro go through the exact same QA process, the only difference is how the rules are curated.
- If a member of the community submits a signature and it is accepted, we will put it into ETOpen and credit the researcher.
- If a member of the community produces some research for which Proofpoint creates a signature based on the research, we will credit/reference the research and put it into ETOpen.
- If Proofpoint creates a signature based on our own research, it will go into ETPro.
- Today there’s about a 5:1 margin of rules being created for ETPro vs. ETOpen
Do signatures get transferred from ETPro to ETOpen
- No, we do not automatically transfer rules from ETPro to ETOpen. We only transfer rules from ETPro to ETOpen if a member of the community submits a new/unique signature for the same activity, in which case we may convert the rule to ETOpen.
How do I get support or report issues for ETPro?
- You can submit a support request to email@example.com or submit feedback to https://feedback.emergingthreats.net
How frequently are rules published?
- Rules are typically published once a day during the week on non-US holidays. Occasionally multiple updates may be pushed.
How can I request a signature be written?
- You can submit a new signature request to firstname.lastname@example.org or submit to https://feedback.emergingthreats.net
Does Proofpoint receive my payment information?
- No, in the case that you purchase ETPro through OPNsense, Proofpoint does not receive your payment information. Proofpoint does receive your contact and entitlement information so they can fulfill the purchase request, but they do not receive your payment information.
Are the rules documented?
- For information about downloading the rules, you can go to: https://rules.emergingthreatspro.com/PRO_download_instructions.html
- Each rule has metadata in the rule to provide some guidance on it’s use
- The SID-Description.json.gz file in the download directory which includes both tags and long form descriptions where available.
How do I know when a new version of the ruleset is published?
- You can sign up for the ET mailing list https://lists.emergingthreats.net/mailman/listinfo/ which you will receive an email for each days updates.
- You can monitor the Version file which is incremented each time the ruleset is updated: https://rules.emergingthreatspro.com/version.txt
- You can also view the changelog of your version of the ruleset here: https://rules.emergingthreatspro.com/changelogs/
Is there a difference between the rules that are in the Snort or Suricata versions of the ruleset?
- For the most part rules are supported in both Snort and Suricata. There are rare occasions where Snort does not support certain techniques needed to match patterns in which they are not supported, but these are very rare.
- Most of the time the rules are identical across versions, but with enhancements to the engines, there may be performance enhancements that are available in the newer versions.
Does Proofpoint publish a delta of the ruleset or the full ruleset?
- Given the small compressed size of the ruleset, we only publish the full ruleset and not a delta. For the delta, you can run a DIFF between the two versions or monitor the changelogs which are published daily.
How many licenses do I need for high availability?
- Even if you are using Active/Passive HA, you still need a license per instance, so a two node HA cluster would require 2 licenses.
Is the ET Intelligence Reputation List Available online?
- ET Intelligence is not yet available online, but you can contact email@example.com for purchasing ET Intelligence