• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Suricata custom ruleset downloaded but not used

IDS/IPS
suricata ids ips
2
4
566
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    F90
    last edited by F90 Oct 9, 2023, 1:04 PM Oct 9, 2023, 1:03 PM

    Greetings,

    I have installed Suricata version 6.0.13 on pfsense 2.7.0 stable via pfsense WebGUI.
    What I want to accomplish is adding a custom selfhosted source for the rule updater (suricata-update i guess) for automatic git based rule deployment.
    In the global settings I added http://192.168.0.102:7182/customrules.tar.gz as custom source.
    The rule updater tells me “Extra CustomRules rules were updated.” and
    “Suricata has restarted with your new set of rules”, but they are in fact not loaded.
    (I can tell since I included a syntactically wrong rule, for easy detection of rule loading in suricata.log and there is no error in the log.)
    The same source can be successfully loaded (with one syntax error showing up) by plain Suricata on Arch.
    My question now is, how I can instruct pfsenses Suricata not only to download, but to actually use the ruleset.
    Copy Pasting the rules into the "Defined Custom Rules" Textbox is no option,because the solution should be easy maintain and automate.

    Additional info:
    The tar.gz is created using “tar -czf customrules.tar.gz *.rules *.lua”, but I also tried including the parent directory with the same result.

    Thanks for your support.

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by bmeeks Oct 9, 2023, 2:48 PM Oct 9, 2023, 2:46 PM

      Did you go to the CATEGORIES tab for the interface and enable the new rules package there? You must enable the rules using the checkboxes on the CATEGORIES tab. Or you can enable the SID MGMT feature and select the rules there.

      The GLOBAL SETTINGS tab enables rules archives for download, but it does NOT automatically mean those rules will be used by any Suricata instance. You still must select the rules to use for each Suricata instance on the CATEGORIES tab (or via the SID MGMT feature).

      To see the CATEGORIES tab, edit the appropriate Suricata interface instance and then click the CATEGORIES tab.

      F 1 Reply Last reply Oct 9, 2023, 3:28 PM Reply Quote 1
      • F
        F90 @bmeeks
        last edited by Oct 9, 2023, 3:28 PM

        @bmeeks
        No I didn't.
        Now I did and it works. Thank you very much.
        Is there a dedicated Suricata-pfsense-manual where such things, info about sid_mgmt and other UI specific stuff is documented?
        I only have the Suricata-manual and an internet search brings up very specific threads on this forum.
        I really would appreciate to have less of those rtfm moments.

        1 Reply Last reply Reply Quote 0
        • B
          bmeeks
          last edited by bmeeks Oct 9, 2023, 8:56 PM Oct 9, 2023, 3:49 PM

          Here is a link to the generic pfSense documentation for the IDS/IPS packages (Snort and Suricata): https://docs.netgate.com/pfsense/en/latest/packages/snort/index.html.

          Because those two packages share so much common GUI code, the way they operate is extraordinarily similar. That point is noted in the documentation linked above.

          Just be aware that Suricata (and Snort) on pfSense runs a customized binary with a special output plugin compiled in for Legacy Mode Blocking. Also, the GUI in pfSense does everything "behind the scenes" that a user would normally do via command-line editing of configuration files on other Linux or FreeBSD distros. So, many of the online guides you might find for configuring Suricata have limited usefulness on pfSense (at least in terms of providing specific steps to achieve some particular configuration) because they refer you to direct file edits. Those don't work on pfSense because the GUI code rewrites all the local configuration files each time you save a change in the GUI or start the binary. Thus any hand-edits you may have made will be immediately lost.

          At best these online generic Suricata guides can give you the overall concept, but then you need to find how some feature is implemented within the package GUI on pfSense. Posting specific questions back to this forum is a great way to get help and learn to use the package. There are quite a few Snort and Suricata users on pfSense. There are also some pinned Sticky Posts at the top of this sub-forum describing how to use certain features of both packages. Remember that anything you see posted for Snort operation likely applies about the same to Suricata. There are some differences, but the overall workflow of the GUI is the same in both IDS/IPS packages.

          1 Reply Last reply Reply Quote 1
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.