pfSense integration with Suricata
Suricata
Suricata is also an open source software for network intrusion detection (Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS). It is an alternative to Snort and is being developed by the community as an open source project.
Like Snort, Suricata analyzes network traffic by applying a set of rules to it to identify suspicious or malicious activity. However, Suricata also offers a number of additional features and capabilities such as multi-threading support, a wider range of protocols including IPv6, HTTP, SSL, and the ability to operate in IPS mode where it can block attacks in real-time.
Suricata is widely used in various network security scenarios for intrusion detection and prevention, network defense, and information assurance.
Install Suricata in pfSense
To install Suricata, open the pfSense web interface and go to System
–> Package Manager
–> Available Packages
.
In the search bar, type Suricata
.
And click Install
, wait for the installation process to finish
Now go to Services
–> Suricata
.
Configuring Suricata
First, customize the global settings by selecting `Global Settings'
Install ETOpen Emerging Threats rules
- Check the box ETOpen is a free open source set of Suricata rules whose coverage is more limited than ETPro.
.
Install Snort rules
- Check the boxes for Snort free Registered User or paid Subscriber rules
and for Use a custom URL for Snort rule downloads
if you plan to use alternative sources for Snort rule downloads.
- If you plan to use an alternate mirror, then you must also fill in
Snort Rules Custom Download URL
,Snort Rules Filename
,Snort Oinkmaster Code
.
Install Snort GPLv2 Community rules
- check the box for The Snort Community Ruleset is a GPLv2 Talos-certified ruleset that is distributed free of charge without any Snort Subscriber License restrictions.
and for Use a custom URL for Snort GPLv2 rule downloads
if you plan to use alternative sources to download Snort rules.
- If you plan to use an alternate mirror, then you must also fill in
Snort GPLv2 Custom Rule Download URL
.
Install Feodo Tracker Botnet C2 IP rules
- check the box.
Rules Update Settings
- set Update Interval
equal to 1 DAY
and time as you wish.
Click Save
.
Then go to Interfaces
and create an interface for the sensor, the settings are at your discretion.
If you need a mirror for Snort rules, you can use for example this mirror .