Monday, December 14, 2020

Suricata Startup Instructions

 This is a guide to the basic startup for Suricata on the pfSense. There are many in-depth settings that can be configured to best fit your individual needs, but for this guide I will only be going over the basics needed to start using Suricata. I wouldn’t recommend installing this on any system lower than an SG-3100 as it can be very memory intensive. 

Install Suricata package under “Package Manager”.
Navigate to Suricata under the “Services” tab and click on “Global Settings”.
Check the box for “Install ETOpen Emerging Threats rules” under the “Please Choose The Type Of Rules You Wish To Download” section.
Check the boxes for “Install Snort GPLv2 Community rules” and “Hide Deprecated Rules Categories” under the same section as step 3.
While in the same section, check the box for “Use a custom URL for ETOpen downloads” and on a separate window navigate to the following site:   rules.emergingthreats.net/OPEN_download_instructions.html
Copy and paste the following link from the site into the box for “ETOpen Custom Rule Download URL” on the pfSense (be aware that this link may change if Suricata is updated to a different version in the future, so always get the link from site and not this document): https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz
Under the “General Settings” section towards the bottom of the page it is recommended that the time for “Remove Blocked Hosts Interval” be set to 1 hour.
Click the “Save” button at the bottom of the page.
Click on the “Updates” tab and then click “Update” under the “UPDATE YOUR RULE SET” section.
Once updated, navigate to the “Global Settings” tab and change the “Update Interval” to once a day under the “Rules Update Settings” section and click “Save” at the bottom of the page.
Navigate to the “Interfaces” tab and click “Add”.
Under “General Settings” change the “Interface” and “Description” to LAN and click “Save” at the bottom of the page.
Click on the “LAN Categories” tab and click “Select All” under the “Select the rulesets (Categories) Suricata will load at startup” section, then click “Save” at the bottom of the page.
Click on the “Interfaces” tab and click on the blue “play” type button on the interface to start Suricata on this interface.
Click the edit button on that interface and make sure the “Block Offenders” box isn’t checked under the “Alert and Block Settings”.

 I suggest monitoring the feed on the “Alerts” tab for at least a week to check for false positives before implementing it with blocking enabled. If a false positive is found click the red “x” to the right of the alert to force disable the rule and remove it from the current ruleset.