Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs) (Read 1223 times)
jonny5
Newbie
Posts: 24
Karma: 2
How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
on:
February 02, 2024, 06:40:54 pm »
Looking to enable additional Suricata IDS Rules / SIDs? Just wrote a how-to w/screenshots, here we go!
TLDR;
https://www.nova-labs.net/opnsense-and-enabling-suricata-rules/
The how-to is a bit long, but outlined are three policy rules that once enabled allow a much wider/deeper view of the network traffic being inspected.
This will raise your CPU utilization, and if you do not add the third Policy, and disable a select few SIDs, can cause quite a bit of event/alert explosion as a few of the DNS/TLS/SNI rules fire each DNS resolution/TLS connection.
The guide starts by broadly enabling (first 2 policies), and then disabling (third policy) whole matching groups of rules based on the SID/rule meta. Thank you OPNSense, realized the population of each meta and then was able to focus on what to use to enable with minimal Policies.
Last section in the guide is where you will be individually disabling 20+ rules/SIDs which should not negatively impact your OPNSense router, we are keeping the individual rule mods in low populations.
Here's a first step before you even read the whole guide (you will likely want to have your OPNSense with a working internet connection to get through this guide and be able to get this initial step out of the way):
Please feel free to suggest modifications, or share your experience here.
Looking to learn more, but share what's being explored!
«
Last Edit: February 02, 2024, 07:12:23 pm by jonny5
»
Logged
valsimot
Newbie
Posts: 1
Karma: 0
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #1 on:
April 06, 2024, 06:23:18 pm »
Thank you for this!
I did not have the option to install the pt-open plugin. I wonder why it wouldn't be present?
Logged
jlficken
Newbie
Posts: 8
Karma: 2
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #2 on:
April 06, 2024, 10:45:03 pm »
I don’t have the option for the second plugin either.
Logged
Mars79
Newbie
Posts: 22
Karma: 3
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #3 on:
April 16, 2024, 09:14:10 pm »
The pt-open plugin was removed from OPNsense a while ago since the ruleset itself has been discontinued since September 22, 2022.
See:
https://github.com/ptresearch/AttackDetection
Best to remove it from OPNsense if you have it installed, ruleset is no longer maintained and can even give a false feeling of security.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)