Suricata IPS Mode Ruleset

[nicholaswkc]

Dear All,
I switch from pfsense to Opnsense since it i more secure but i want to enable Suricata mode as IPS. My interface card is igb0 and igb1. I will disable the hw checksum offloading, hw TCP Seg offloading and HW Large Receive offloading in order for IPS to operate properly.

Questions:
What rules set should i register?
Where to get the rule set like in Snort we have Oinkcode?

I don't mind paying for closed source rule set but please point me to a right direction.

Appreciate your help. A billion thanks for your help.

[RamSense]

maybe this is what you are looking for:

Free / ETPRO Telemetry edition: https://shop.opnsense.com/product/etpro-telemetry/

Paid / Proofpoint ET Pro Ruleset 1yr subscription: https://shop.opnsense.com/product/proofpoint-et-pro-ruleset-1yr-subscription/

and here on this forum:
https://forum.opnsense.org/index.php?topic=6930.0

[peterwkc]

I wonder whether opnsense is 100% secure than pfsense using Snort which the hacker can flush the rule set.

[Lynxcat]

If you look under System:Firmware:Plugins and type "rule" without quotes in the search box, you will find several rulesets including os-intrusion-detection-content-snort-vrt which is activated with an Oinkcode.

Once installed, just go to Services: Intrusion Detection: Administration:Rules and paste you Oinkcode then save, then enable selected, then download.

[Vilhonator]

You get oinkcode for SNORT by registerring and choosing your plan at https://www.snort.org

For Free telemetry edition of Surricata, you need to go to opnsense store (https://shop.opnsense.com/product/etpro-telemetry/), accept the terms and give your e-mail, your surricata license will be sent to e-mail.

Free telemetry edition will sent anonymous data about your traffic (that's why it's free), but you can use rulesets that won't require license for free and without admitting data.

In Firmware ---> Plugins section, install ruleset package of your choice, after that's done, you can configure IDS/IPS Under services ---> Intrusion detection.

[peterwkc]

I had subscribe to etPro but it cannot download, it takes few hours and it doesn't complete it. Why like this?

Is there any Block tab in Intrusion detection menu?

[Vilhonator]

I had subscribe to etPro but it cannot download, it takes few hours and it doesn't complete it. Why like this?

Is there any Block tab in Intrusion detection menu?

Check logs for errors.

Depending on your hardware and network speed, it can take from 5 minutes to 24 hours to download rules (there's ALOT of them)

[Vilhonator]

Forgot to mention that you can also fetch rulesets using SSH or console connection, which enables you to see the progress of things in realtime.

https://suricata.readthedocs.io/en/latest/quickstart.html has in depth guide, though guide in question assumes you have external server which runs it. So you need to change every command and file location to what matches opnsense.

There's also option to send logs to your PC which you can read in realtime with syslog server client or wireshark, but web gui doesn't have progress bar or anything that would display progress or possible errors in detail

[peterwkc]

Forgot to mention that you can also fetch rulesets using SSH or console connection, which enables you to see the progress of things in realtime.

https://suricata.readthedocs.io/en/latest/quickstart.html has in depth guide, though guide in question assumes you have external server which runs it. So you need to change every command and file location to what matches opnsense.

There's also option to send logs to your PC which you can read in realtime with syslog server client or wireshark, but web gui doesn't have progress bar or anything that would display progress or possible errors in detail

 I issue command suricata-update but it only download the ET free rules and not the ET Pro. How to check ET PRO rules progress?

[Vilhonator]

Forgot to mention that you can also fetch rulesets using SSH or console connection, which enables you to see the progress of things in realtime.

https://suricata.readthedocs.io/en/latest/quickstart.html has in depth guide, though guide in question assumes you have external server which runs it. So you need to change every command and file location to what matches opnsense.

There's also option to send logs to your PC which you can read in realtime with syslog server client or wireshark, but web gui doesn't have progress bar or anything that would display progress or possible errors in detail

 I issue command suricata-update but it only download the ET free rules and not the ET Pro. How to check ET PRO rules progress?

You need to run command which downloads ET pro rules, also make sure that you have installed os-etpro-telemetry and typed your license code under intrusion detection settings