Wiki

User Tools

Site Tools

Trace:
pfsense:suricata:install_suricata:have_suricata_monitor_the_wan_interface

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
pfsense:suricata:install_suricata:have_suricata_monitor_the_wan_interface [2021/01/15 14:12] – created peterpfsense:suricata:install_suricata:have_suricata_monitor_the_wan_interface [2021/01/22 13:54] (current) peter
Line 1: Line 1:
 ====== PFSense - Suricata - Install Suricata - Have Suricata Monitor the WAN Interface ====== ====== PFSense - Suricata - Install Suricata - Have Suricata Monitor the WAN Interface ======
 +
 +Navigate to **Services -> Suricata -> Interfaces**.
 +
 +Click **Add**.
 +
 +In **General Settings**:
 +
 +  * Enable:  **Checked**.
 +  * Interface:  **WAN (pppoe0)**.
 +  * Description:  **WAN**.
 +
 +{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_general_settings.png?800|}}
 +
 +----
 +
 +In **Logging Settings**:
 +
 +  * Send Alerts to System Log:  **Not Checked**.
 +  * Enable Stats Collection:  **Not Checked**.
 +  * Enable HTTP Log:  **Checked**.
 +  * Append HTTP Log:  **Checked**.
 +  * Log Extended HTTP Info:  **Checked**.
 +  * Enable TLS Log:  **Not Checked**.
 +  * Enable File-Store:  **Not Checked**.
 +  * Enable Packet Log:  **Not Checked**.
 +
 +{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_logging_settings.png?800|}}
 +
 +----
 +
 +In **EVE Output Settings**:
 +
 +  * EVE JSON Log:  **Not Checked**.
 +
 +{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_eve_output_settings.png?800|}}
 +
 +----
 +
 +In **Alert and Block Settings**:
 +
 +  * Block Offenders:  **Checked**.
 +  * IPS Mode:  **Legacy Mode**.
 +  * Kill States:  **Checked**.
 +  * Which IP to Block:  **Both**.
 +  * Block On DROP Only:  **Not Checked**.
 +
 +{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_alert_and_block_settings.png?800|}}
 +
 +----
 +
 +In **Performance and Detection Engine Settings**:
 +
 +  * Run Mode:  **AutoFP**.
 +  * Max Pending Packets:  **1024**.
 +  * Detect-Engine Profile:  **High**.
 +  * Pattern Matcher Algorithm:  **Auto**.
 +  * Signature Group Header MPM Context:  **Auto**.
 +  * Inspection Recursion Limit:  **3000**.
 +  * Delayed Detect:  **Not Checked**.
 +  * Promiscuous Mode:  **Checked**.
 +  * Interface PCAP Snaplen:  **1518**.
 +
 +{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_performance_and_detection_engine_settings.png?800|}}
 +
 +----
 +
 +In **Networks Suricata Should Inspect and Protect**:
 +
 +  * Home Net:  **default**:
 +  * External Net:  **default**.
 +  * Pass List:  **default**.
 +
 +{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_networks_suricata_should_inspect_and_protect.png?800|}}
 +
 +----
 +
 +In **Alert Suppression and Filtering**:
 +
 +  * Alert Suppression and Filtering:  **WANSuppressList**.  Changed from default.
 +
 +{{:pfsense:suricata:install_suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_alert_suppression_and_filtering.png?600|}}
 +
 +----
 +
 +In **Arguments here will be automatically inserted into the Suricata configuration**:
 +
 +  * Advanced Configuration Pass-Through:  **<blank>**.
 +
 +{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_arguments_here_will_be_automatically_inserted_into_the_suricata_configuration.png?800|}}
 +
 +----
 +
 +===== Set Categories for the WAN Interface to Monitor =====
 +
 +Click on **WAN Categories**.
 +
 +In **Select the rulesets (Categories) Suricata will load at startup**:
 +
 +  * Within each Ruleset, click the checkbox against whichever rules to enable.
 +  * Ruleset: ET Open Rules:
 +    * emerging-attack_response.rules
 +    * emerging-botcc.portgrouped.rules
 +    * emerging-botcc.rules
 +    * emerging-ciarmy.rules
 +    * emerging-coinminer.rules
 +    * emerging-compromised.rules
 +    * emerging-current_events.rules
 +    * emerging-dos.rules
 +    * emerging-dshield.rules
 +    * emerging-exploit.rules
 +    * emerging-malware.rules
 +    * emerging-mobile_malware.rules
 +    * emerging-phishing.rules
 +    * emerging-scan.rules
 +    * emerging-worm.rules
 +  * Ruleset: Snort Text Rules:
 +    * snort_attack-responses.rules
 +    * snort_backdoor.rules
 +    * snort_bad-traffic.rules
 +    * snort_blacklist.rules
 +    * snort_botnet-cnc.rules
 +    * snort_ddos.rules
 +    * snort_dos.rules
 +    * snort_exploit-kit.rules
 +    * snort_exploit.rules
 +    * snort_malware-backdoor.rules
 +    * snort_malware-cnc.rules
 +    * snort_malware-other.rules
 +    * snort_malware-tools.rules
 +    * snort_phishing-spam.rules
 +    * snort_policy-spam.rules
 +    * snort_scan.rules
 +    * snort_specific-threats.rules
 +    * snort_spyware-put.rules
 +    * snort_virus.rules
 +    * snort_web-attacks.rules
 +
 +<WRAP info>
 +**NOTE:**  Do not select all categories, as this will produce too many false positives and lots of time to get right.
 +</WRAP>
 +
 +
 +----
 +
 +===== Start Suricata on WAN =====
 +
 +Navigate to **Services -> Suricata -> Interfaces**.
 +
 +Click the **start** button.
 +
 +{{:pfsense:suricata:install_suricata:pfsense_-_services_-_suricata_-_interfaces_-_wan_-_start.png?800|}}
 +
 +----
 +
 +Return to [[PFSense:Suricata:Install Suricata]] or continue to [[PFSense:Suricata:Install Suricata:Have Suricata Monitor the LAN Interface|Have Suricata Monitor the LAN Interface]].
 +
 +----
  
pfsense/suricata/install_suricata/have_suricata_monitor_the_wan_interface.1610719973.txt.gz · Last modified: 2021/01/15 14:12 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki