Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Common rules for various interfaces in Suricata with Pfsense

    Scheduled Pinned Locked Moved
    General pfSense Questions
    2
    4
    44
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jra9511
      last edited by

      Is there a way using Suricata with Pfsense so that the rules applied to one interface can be used in several others without having to rewrite each rule for each interface?
      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You can clone an interface's settings over to another interface. There is an icon for cloning (same as duplicating settings) on the right side of the page on the INTERFACES tab in Suricata.

        Select the interface you wish to clone, then it will open the INTERFACE SETTINGS tab where you can choose the target pfSense interface to receive the cloned Suricata settings.

        1 Reply Last reply Reply Quote 1
        • J
          jra9511
          last edited by

          Thanks for the answer, really what we want is to see how to apply the same file that contains several rules to all the configured interfaces, otherwise we have to edit the rules in each interface and copy them. We try to do it through the MGMT SID but it gives us a warning that the file is found but the rule is not loaded, we clarify that we are not using any of the default rules that suricata comes with, we use one called custom rules to adapt it to our environment and avoid false positives

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @jra9511
            last edited by bmeeks

            @jra9511 said in Common rules for various interfaces in Suricata with Pfsense:

            Thanks for the answer, really what we want is to see how to apply the same file that contains several rules to all the configured interfaces, otherwise we have to edit the rules in each interface and copy them. We try to do it through the MGMT SID but it gives us a warning that the file is found but the rule is not loaded, we clarify that we are not using any of the default rules that suricata comes with, we use one called custom rules to adapt it to our environment and avoid false positives

            No, there is no common file. On pfSense, each configured Suricata interface has all of its files contained within a unique subdirectory underneath /usr/local/etc/suricata/. The contents of custom rules are actually stored as Base64 encoded data within the config.xml firewall configuration file and then written out to a text file in the interface's subdirectory when needed. Any changes you might make to those local files will be overwritten by the GUI code the next time any setting is modified within the GUI.

            I don't know what your pfSense experience level is, but some new folks are not aware that pretty much every configuration parameter is stored in the config.xml file and then written out to the various text files in /etc/ and /usr/local/etc/ and other locations when the user clicks Save. That means any changes made directly to these system files are not persistent as the files are recreated using the config.xml contents when changes are saved.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post