Archive > 15.7 Legacy Series

Suricata/OPNsense Questions

(1/3) > >>

smajor:
Greetings. I'm exploring 15.7 and found the Intrusion Detection!  Excellent job, devs!

First, I checked the wiki because I'd like to learn a little more about it since I've not heard of Suricata before now. Some general questions:

1) By default, IDS is monitoring LAN, is this correct? I would have thought I'd want to watch for these at WAN.

2) Is there a list somewhere, (Suricata site?) that defines what all of these rulesets are? Some are obvious, some not so much.

Once again, thank you. Very nifty!

franco:
smajor,

(1) I think this was cut+paste from the proxy config. I've changed it to WAN for 15.7.1:

https://github.com/opnsense/core/commit/a1aabc11d631a7ab018bde72d2c5f56d41e2b316

(2) The current rules files come from Emerging Threats, the files that are preloaded were actually shipped with suricata (thus they are old):

https://github.com/opnsense/core/blob/fa8bf4e4ba6167a3186d94d4a1095b550cdede85/src/opnsense/scripts/suricata/metadata/rules/et-open.xml

More file descriptions and remote download support is coming soonish as we gather and implement user feedback, e.g.:

https://github.com/opnsense/core/issues/237


Cheers,
Franco

lucifercipher:
hi smajor,

please take a look here at http://rules.emergingthreats.net/open/suricata/ . They are Emerging Threat rules for suricata. You can manually push them too if you like incase you are looking for regular updates. Also, ET website has detailed description on individual rule and sub rules.

For detailed documentation, please look here http://doc.emergingthreats.net/

Supermule:
Its not at all a bad thing to run suricata on LAN as well as WAN.

Run limited set of rules on WAN and the whole encilada on LAN. That means you can track the culprits to specific internal IP's instead of your public WAN.

I havent tested the ability to run 2 instances of Suricata in opnsense but it should be able to.

franco:
Right now it complains of experimental support in libpcap using two interfaces in the same instance, but it runs. To enable intrusion prevention we need to migrate to ipfw or pf hooks, which takes care of that problem. If we have two instances, should they have completely separate configs?

Navigation

[0] Message Index

[#] Next page

Go to full version