Frequently Asked Question ETPRO Telemetry Edition
Is your question not in the list below?
Send us an email at firstname.lastname@example.org
What do I need to do to get access to ETPro Telemetry Edition?
- You simply need to be running OPNsense 19.1 or above, and signup on https://shop.opnsense.com for ETPro Telemetry Edition. You will be granted an authorization code which is used in the Intrusion Detection Plugin to authorize downloads of ETPro Telemetry Edition, and to activate Telemetry.
Why should I participate in the Telemetry Edition?
- By providing anonymized feedback, Proofpoint will be able to not only identify new malicious actors and activity, but they will also be able to better maintain a high quality ruleset, and introduce new features to better identify malicious activity with higher efficacy.
What information is exchanged in the Telemetry Edition?
- When the Telemetry Edition is activated with a valid authorization token, the system will check in every 30 minutes with a heartbeat. The heartbeat will include a telemetry package, securely exchanged of the telemetry data. The Telemetry data is an anonymized subset of the Suricata IDS event logs, which only identifies the “attackers”. All other fields are stripped out on your OPNsense appliance or randomized.
- The OPNsense Appliance will also connect to Proofpoint for the ETPro Telemetry Edition rule updates, using the UUID to authenticate the download.
Will Proofpoint know my identity?
- When you register for enrollment with OPNsense, a UUID is generated for your organization and for each sensor. Your identity information is not sent to Proofpoint.
What do I need to remain in good standing in the Telemetry Edition?
- In order for Proofpoint to offer the Telemetry Edition at no charge, you are required to have your sensor in production monitoring real traffic. If your sensor does not report telemetry logs back for a period of time, the sensor will be put into a warning state. If the sensor continues to fail to report any logs, then the Telemetry feedback will be disabled and the sensor will be reverted to ETOpen. You will need to re-register the sensor for it to receive a new key to start to rejoin the Telemetry Edition.
What’s the difference between ETPro,ETPro Telemetry Edition, and ETOpen?
- ETPro Telemetry Edition is a tuned version of the ETPro ruleset. The rules are selected based upon priority, FP likelihood, and pervasiveness of the network activity that they match on.
- The difference between ETPro and ETOpen is based upon the source of the rules. If a rule is contributed from the community it goes into ETOpen. If it is written by Proofpoint based on public research, it will go into ETOpen. If it is based on Proofpoint intellectual property and processes and written by Proofpoint it will go into ETPro. Each day there is a ratio of between 5-10:1 ETPro to ETOpen signatures.
- All signatures go through the same QA process regardless of which ruleset they go to and regardless of where they originate. This is a rigorous process which relies on both manual and automated testing, and is manually reviewed by a threat researcher before it is put into production.
Can I run other IDS rulesets concurrently with ETPro Telemetry Edition?
- Yes, the telemetry functionality is only interested in signatures in the ETPro SID ranges.
Can I tune my sensor with the Telemetry Edition?
- Yes you can leverage the functionality within OPNsense to tune the rules you want enabled and the action you want taken.
What if I don’t want to participate in the Telemetry Edition?
- The Telemetry Edition is an opt-in offering which is off by default and requires manual user intervention to enable. By default, OPNSense uses the ETOpen ruleset. This is free and has no telemetry or other call backs to Proofpoint. In the future, you will also be able to purchase a full ETPro license through Deciso / OPNsense which will not require Telemetry to be sent.