English Forums > Intrusion Detection and Prevention

IDS questions

(1/5) > >>

dcol:
Can I use my custom rules in Intrusion Detection? I have a few Snort/Suricata rules I wrote that I need to add.
Also, is 'IPS Mode' the same as inline mode. If not, how do I turn on inline mode, or is that on by default?

I am looking to switch over from PFsense because they are dragging their feet on IPS/IDS inline mode.
Thanks in advance.

franco:
Hi there,

Inline mode is just a flip of a switch..

[x] enable IDS
[x] enable IPS mode

We do have very light custom-rules support from the GUI, but nothing that would fit your ruleset for sure (there's only GeoIP and Fingerprinting in there). An automatic rule-inclusion for a flat file on the disk would probably more suitable for you? Something similar is already done by the proxy server configuration.

If that sounds alright we ask all features to be requested on GitHub by the users themselves for questions, ping-backs, testing and polishing features. It makes for a better result. :)

https://github.com/opnsense/core/issues


Cheers,
Franco

dcol:
Thanks, I submitted a feature request on GitHub for custom rules.

franco:
I see this was picked up. We're currently debating whether or not dropping rules into the existing directory is enough or if we need a custom file hook.

https://github.com/opnsense/core/issues/1219
https://github.com/opnsense/core/pull/1222

Files do need to be copied via SSH/SFTP in any case, but that's easily automated as a plus.


Cheers,
Franco

franco:
Pull request was closed, so the official way is to push additional rule files to: /usr/local/etc/suricata/rules/

Navigation

[0] Message Index

[#] Next page