Table of Contents
PFSense - Suricata - Install Suricata - Have Suricata Monitor the WAN Interface
Navigate to Services → Suricata → Interfaces.
Click Add.
In General Settings:
- Enable: Checked.
- Interface: WAN (pppoe0).
- Description: WAN.
In Logging Settings:
- Send Alerts to System Log: Not Checked.
- Enable Stats Collection: Not Checked.
- Enable HTTP Log: Checked.
- Append HTTP Log: Checked.
- Log Extended HTTP Info: Checked.
- Enable TLS Log: Not Checked.
- Enable File-Store: Not Checked.
- Enable Packet Log: Not Checked.
In EVE Output Settings:
- EVE JSON Log: Not Checked.
In Alert and Block Settings:
- Block Offenders: Checked.
- IPS Mode: Legacy Mode.
- Kill States: Checked.
- Which IP to Block: Both.
- Block On DROP Only: Not Checked.
In Performance and Detection Engine Settings:
- Run Mode: AutoFP.
- Max Pending Packets: 1024.
- Detect-Engine Profile: High.
- Pattern Matcher Algorithm: Auto.
- Signature Group Header MPM Context: Auto.
- Inspection Recursion Limit: 3000.
- Delayed Detect: Not Checked.
- Promiscuous Mode: Checked.
- Interface PCAP Snaplen: 1518.
In Networks Suricata Should Inspect and Protect:
- Home Net: default:
- External Net: default.
- Pass List: default.
In Alert Suppression and Filtering:
- Alert Suppression and Filtering: WANSuppressList. Changed from default.
In Arguments here will be automatically inserted into the Suricata configuration:
- Advanced Configuration Pass-Through: <blank>.
Set Categories for the WAN Interface to Monitor
Click on WAN Categories.
In Select the rulesets (Categories) Suricata will load at startup:
- Within each Ruleset, click the checkbox against whichever rules to enable.
- Ruleset: ET Open Rules:
- emerging-attack_response.rules
- emerging-botcc.portgrouped.rules
- emerging-botcc.rules
- emerging-ciarmy.rules
- emerging-coinminer.rules
- emerging-compromised.rules
- emerging-current_events.rules
- emerging-dos.rules
- emerging-dshield.rules
- emerging-exploit.rules
- emerging-malware.rules
- emerging-mobile_malware.rules
- emerging-phishing.rules
- emerging-scan.rules
- emerging-worm.rules
- Ruleset: Snort Text Rules:
- snort_attack-responses.rules
- snort_backdoor.rules
- snort_bad-traffic.rules
- snort_blacklist.rules
- snort_botnet-cnc.rules
- snort_ddos.rules
- snort_dos.rules
- snort_exploit-kit.rules
- snort_exploit.rules
- snort_malware-backdoor.rules
- snort_malware-cnc.rules
- snort_malware-other.rules
- snort_malware-tools.rules
- snort_phishing-spam.rules
- snort_policy-spam.rules
- snort_scan.rules
- snort_specific-threats.rules
- snort_spyware-put.rules
- snort_virus.rules
- snort_web-attacks.rules
NOTE: Do not select all categories, as this will produce too many false positives and lots of time to get right.
Start Suricata on WAN
Navigate to Services → Suricata → Interfaces.
Click the start button.
Return to Install Suricata or continue to Have Suricata Monitor the LAN Interface.