Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata - where to start?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      oliwel
      last edited by

      Hi All,

      I have a pfSense box in front of my webhosting platform and wanted to use Suricata to catch "those bad guys" but I am completely lost =(

      I used fail2ban and custom scripts to do some naive IDS in the past, which I now wanted to replace/extend by snort/suricata - my main problems are:

      1. there seems to be no way to have some mature rules in blocking mode but have some new ones to "log only" while testing them. I even tried to assign to instances which seems to be not possible.
      2. the number of rules retrieved by the Snort ET and Community feeds is THAT large, that it seems to be impractical to proof read and decide on each single one - together with the first problem, this makes it worthless as I cant afford to break things and fix them afterwards.

      So is there any clever apporach to test rules while having others in blocking mode alread and how to get a fast overview on the rules shipped?

      Oli

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        This thread is for Snort, but a lot of the theory is also sound for Suricata – https://forum.pfsense.org/index.php?topic=61018.0.  If you want something sort of easy to implement, I suggest starting with Snort and use the IPS Policy settings.  Using "Connectivity" is a good starting point.

        Unfortunately, as you have seen, the Suricata and Snort packages don't allow selective blocking.  Once blocking is enabled, all alerts result in a block unless the offending IP is in a PASS LIST or the rule has been manually suppressed.

        There are some good threads on Suppress Lists and configuring both Snort and Suricata in the Packages forum.  I suggest you start a thread there and some of the experienced users can offer some suggestions.

        Bill

        1 Reply Last reply Reply Quote 0
        • O Offline
          oliwel
          last edited by

          Hi Bill,

          I already read that post before - I gave the VRT rules a try but it wont solve my initial problem. Looks like there is no other option than picking some of the rules and just try then out.

          Oli

          1 Reply Last reply Reply Quote 0
          • bmeeksB Offline
            bmeeks
            last edited by

            @oliwel:

            Hi Bill,

            I already read that post before - I gave the VRT rules a try but it wont solve my initial problem. Looks like there is no other option than picking some of the rules and just try then out.

            Oli

            If you have a Snort VRT Oinkcode, then try the Snort package.  On the CATEGORIES tab, check the box for IPS Policy and then choose one of the three policies in the drop-down.  The "connectivity" policy is pretty good and very unlikely to yield many false positives.

            No matter which rules you use, there are some preprocessor alerts that are very noisy in terms of false positives.  There is a Master Suppress List thread you can search for in the Packages sub-forum.  That thread contains the suggested suppress list entries many experienced users have enabled.  Those will eliminate most of the false positives.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.