Documentation
Documentation on configuring solutions in Yandex Cloud
Yandex Cloud pfSense documentation
pfSense integration with Suricata

pfSense integration with Suricata

Suricata is an open-source software for network intrusion detection (Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS)). It is an alternative to Snort and is being developed by the community as an open-source project.

Like Snort, Suricata analyzes network traffic by applying a set of rules to it to identify suspicious or malicious activity. However, Suricata also offers several additional features and capabilities such as multi-threading support, a wider range of protocols including IPv6, HTTP, and SSL, and the ability to operate in IPS mode where it can block attacks in real-time.

Suricata is widely used in various network security scenarios for intrusion detection and prevention, network defense, and information assurance.

Install Suricata in pfSense

  1. To install Suricata, open the pfSense web interface and go to “System –> Package Manager –> Available “Packages”. The user should enter “Suricata” in the search bar (see Figure 1).

Figure 1. Installing Suricata

The user is required to click the Install and wait for the installation process to complete (see Figure 2).

Figure 2. Suricata installation

Now go to Services –> Suricata.

Configuring Suricata

To customize the settings, navigate to Services -> Suricata. Select Global Settings and configure all settings as follows:

  • Install ETOpen Emerging Threats rules - Check the box ETOpen is a free open source set of Suricata rules whose coverage is more limited than ETPro.
  • Install Snort rules - Check the boxes for Snort free Registered User or paid Subscriber rules and for Use a custom URL for Snort rule downloads if the user plans to use alternative sources for Snort rule downloads.
  • If the user plans to use an alternate mirror, then they must also fill in Snort Rules Custom Download URL, Snort Rules Filename, and Snort Oinkmaster Code.
  • Install Snort GPLv2 Community rules - check the box for The Snort Community Ruleset is a GPLv2 Talos-certified ruleset that is distributed free of charge without any Snort Subscriber License restrictions and Use a custom URL for Snort GPLv2 rule downloads if they plan to use alternative sources to download Snort rules.
  • If the user plans to use an alternate mirror, then they must also fill in Snort GPLv2 Custom Rule Download URL.
  • Install Feodo Tracker Botnet C2 IP rules - check the box.
  • Rules Update Settings - set Update Interval equal to 1 DAY and time as the user wishes.

After that, the user needs to click Save.

The next step is to go to Interfaces and create the sensor. The settings can be set at the user’s discretion.

If users need a mirror for the Snort rules, they can use it .

Snort and pfSense integration