Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata rules without Internet access

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      Yordano
      last edited by

      I have a pfSense in my local network. I am using it as IDS. Mostly, to detect some abnormally network behaviours. Unfortunatelly the ip address for the pfSense has not direct access to the Internet. I have downloaded the rulesets file. I copy the .rules files to /usr/local/etc/suricata/suricata_xxxx/rules. But the rules are being ignored by the system. How can I solve this? I have googled, read forums, mailing lists, but no luck with an answer. It seems everybody have their pfSense server luckly connected to the Internet. But it is not my case. So, I need some support here.

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @Yordano
        last edited by bmeeks

        @Yordano said in Suricata rules without Internet access:

        I have a pfSense in my local network. I am using it as IDS. Mostly, to detect some abnormally network behaviours. Unfortunatelly the ip address for the pfSense has not direct access to the Internet. I have downloaded the rulesets file. I copy the .rules files to /usr/local/etc/suricata/suricata_xxxx/rules. But the rules are being ignored by the system. How can I solve this? I have googled, read forums, mailing lists, but no luck with an answer. It seems everybody have their pfSense server luckly connected to the Internet. But it is not my case. So, I need some support here.

        Sorry, but the Suricata GUI package for pfSense is not configured for offline operation (without Internet access) nor is it configured for manual installation of the rules in that situation.

        If you want to run Suricata in an offline type of situation, it would be better for you to install the plain binary (no GUI support) package from FreeBSD Ports (not the pfSense packages repository!). You can download the package file to a USB stick and then port it over to the pfSense firewall. Be warned that you will also need to grab quite a number of shared library dependencies as well.

        A shorter better answer is "you can't" ... šŸ™‚. At least not without being willing to go to a lot of extra effort.

        In fact, you will find that pfSense iself, with no Internet access, is going to be very slow on the Dashboard GUI due to attempts to contact the pfSense software repository to check for updates. pfSense is just not set up for an offline situation where it can't readily access the Internet.

        I know what a pain offline isolated systems can be. I had to manage such systems for several years, and keeping them updated is a big challenge because pretty much all software systems today assume they have immediate unrestricted Internet access.

        If all you want is IDS/IPS, then I would seriously consider just installing a Linux distro (or FreeBSD, if you prefer) on the box and then installing the regular Suricata binary for the particular distro. You would then configure everything using the CLI.

        bingo600B 1 Reply Last reply Reply Quote 0
        • bingo600B
          bingo600 @bmeeks
          last edited by

          @bmeeks said in Suricata rules without Internet access:

          In fact, you will find that pfSense iself, with no Internet access, is going to be very slow on the Dashboard GUI due to attempts to contact the pfSense software repository to check for updates. pfSense is just not set up for an offline situation where it can't readily access the Internet.

          Wasn't there a fix for that "Slow gui" if no internet access , in either 2.4.5-p1 or the upcomming 2.5 ?

          I think i read about a fix, here on the forum.

          /Bingo

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @bingo600
            last edited by

            @bingo600 said in Suricata rules without Internet access:

            @bmeeks said in Suricata rules without Internet access:

            In fact, you will find that pfSense iself, with no Internet access, is going to be very slow on the Dashboard GUI due to attempts to contact the pfSense software repository to check for updates. pfSense is just not set up for an offline situation where it can't readily access the Internet.

            Wasn't there a fix for that "Slow gui" if no internet access , in either 2.4.5-p1 or the upcomming 2.5 ?

            I think i read about a fix, here on the forum.

            /Bingo

            I believe you can turn off the check for updates which should take care of the problem.

            1 Reply Last reply Reply Quote 0
            • Y
              Yordano
              last edited by

              Finally, I was able to manually append any desired ruleset to my running suricata. After searching everywhere, I found at NetGate docs of pfSense, that the command viconfig is able to persist changes to the always refreshed config.xml after every system reboot or service restart. First, I found the XML rulesets tag, and appended every filename attending to the same syntax already used there. After that, I copied to /usr/local/share/suricata/rules every matching file according to the declared names at rulesets XML tag. Finallly, after every refresh of the pfSense box, the changes persist. Thanks anyway to everybody for the tips.

              M 1 Reply Last reply Reply Quote 0
              • M
                marklark @Yordano
                last edited by marklark

                @Yordano

                Background: I'm using the GUI for Suricata through the pfSense virtual firewall (FreeBSD instance).
                Has anyone tried to use the ETOpen custom URL option to "download" a the ruleset via a "file://" URL? It seems like a reasonable work-around, but doesn't work.

                Where would I look to see errors?

                Thank you very much!

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @marklark
                  last edited by bmeeks

                  @marklark said in Suricata rules without Internet access:

                  @Yordano

                  Background: I'm using the GUI for Suricata through the pfSense virtual firewall (FreeBSD instance).
                  Has anyone tried to use the ETOpen custom URL option to "download" a the ruleset via a "file://" URL? It seems like a reasonable work-around, but doesn't work.

                  Where would I look to see errors?

                  Thank you very much!

                  The internal code within the PHP GUI is expecting HTTP or HTTPS urls only in that field and sets the options for curl with that in mind. The assumption was the user would have an internal web host to download from when using the Custom URL option.

                  Any errors would be logged on the UPDATES tab in the log file available for viewing there.

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.