Suricata - where to start?



  • Hi All,

    I have a pfSense box in front of my webhosting platform and wanted to use Suricata to catch "those bad guys" but I am completely lost =(

    I used fail2ban and custom scripts to do some naive IDS in the past, which I now wanted to replace/extend by snort/suricata - my main problems are:

    1. there seems to be no way to have some mature rules in blocking mode but have some new ones to "log only" while testing them. I even tried to assign to instances which seems to be not possible.
    2. the number of rules retrieved by the Snort ET and Community feeds is THAT large, that it seems to be impractical to proof read and decide on each single one - together with the first problem, this makes it worthless as I cant afford to break things and fix them afterwards.

    So is there any clever apporach to test rules while having others in blocking mode alread and how to get a fast overview on the rules shipped?

    Oli



  • This thread is for Snort, but a lot of the theory is also sound for Suricata – https://forum.pfsense.org/index.php?topic=61018.0.  If you want something sort of easy to implement, I suggest starting with Snort and use the IPS Policy settings.  Using "Connectivity" is a good starting point.

    Unfortunately, as you have seen, the Suricata and Snort packages don't allow selective blocking.  Once blocking is enabled, all alerts result in a block unless the offending IP is in a PASS LIST or the rule has been manually suppressed.

    There are some good threads on Suppress Lists and configuring both Snort and Suricata in the Packages forum.  I suggest you start a thread there and some of the experienced users can offer some suggestions.

    Bill



  • Hi Bill,

    I already read that post before - I gave the VRT rules a try but it wont solve my initial problem. Looks like there is no other option than picking some of the rules and just try then out.

    Oli



  • @oliwel:

    Hi Bill,

    I already read that post before - I gave the VRT rules a try but it wont solve my initial problem. Looks like there is no other option than picking some of the rules and just try then out.

    Oli

    If you have a Snort VRT Oinkcode, then try the Snort package.  On the CATEGORIES tab, check the box for IPS Policy and then choose one of the three policies in the drop-down.  The "connectivity" policy is pretty good and very unlikely to yield many false positives.

    No matter which rules you use, there are some preprocessor alerts that are very noisy in terms of false positives.  There is a Master Suppress List thread you can search for in the Packages sub-forum.  That thread contains the suggested suppress list entries many experienced users have enabled.  Those will eliminate most of the false positives.

    Bill


Log in to reply