Common rules for various interfaces in Suricata with Pfsense

jra9511

Is there a way using Suricata with Pfsense so that the rules applied to one interface can be used in several others without having to rewrite each rule for each interface?
Thanks in advance

bmeeks

You can clone an interface's settings over to another interface. There is an icon for cloning (same as duplicating settings) on the right side of the page on the INTERFACES tab in Suricata.

Select the interface you wish to clone, then it will open the INTERFACE SETTINGS tab where you can choose the target pfSense interface to receive the cloned Suricata settings.

jra9511

Thanks for the answer, really what we want is to see how to apply the same file that contains several rules to all the configured interfaces, otherwise we have to edit the rules in each interface and copy them. We try to do it through the MGMT SID but it gives us a warning that the file is found but the rule is not loaded, we clarify that we are not using any of the default rules that suricata comes with, we use one called custom rules to adapt it to our environment and avoid false positives

bmeeks

@jra9511 said in Common rules for various interfaces in Suricata with Pfsense:

Thanks for the answer, really what we want is to see how to apply the same file that contains several rules to all the configured interfaces, otherwise we have to edit the rules in each interface and copy them. We try to do it through the MGMT SID but it gives us a warning that the file is found but the rule is not loaded, we clarify that we are not using any of the default rules that suricata comes with, we use one called custom rules to adapt it to our environment and avoid false positives

No, there is no common file. On pfSense, each configured Suricata interface has all of its files contained within a unique subdirectory underneath /usr/local/etc/suricata/. The contents of custom rules are actually stored as Base64 encoded data within the config.xml firewall configuration file and then written out to a text file in the interface's subdirectory when needed. Any changes you might make to those local files will be overwritten by the GUI code the next time any setting is modified within the GUI.

I don't know what your pfSense experience level is, but some new folks are not aware that pretty much every configuration parameter is stored in the config.xml file and then written out to the various text files in /etc/ and /usr/local/etc/ and other locations when the user clicks Save. That means any changes made directly to these system files are not persistent as the files are recreated using the config.xml contents when changes are saved.

jra9511

A new interface is created, and in the category options all are unchecked in such a way that the interface tells me that there is no rule associated with it. When I use the suricata-update command in the console, it generates a file called suricata.rules located in var/lib/suricata, there is some way to associate the rules of said file with the associated interface. Or is there a way to create a new category where I put my own rules. Greetings

bmeeks

@jra9511 said in Common rules for various interfaces in Suricata with Pfsense:

When I use the suricata-update command in the console, it generates a file called suricata.rules located in var/lib/suricata,

Forget everything you might have read about using Suricata via the command line when using the pfSense package.

The Suricata package on pfSense is managed totally within the GUI. Do absolutely nothing via the command line. The pfSense package is highly customized and you do not use any of the Suricata upstream supplied tools with it -- that includes suricata-update. As you discovered, that utility puts the rules in the wrong location for use in pfSense.

Here is a YouTube video from Lawrence Systems showing how to install and administer the Suricata package on pfSense: https://www.youtube.com/watch?app=desktop&v=S0-vsjhPDN0.