How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)

[jonny5]

Looking to enable additional Suricata IDS Rules / SIDs? Just wrote a how-to w/screenshots, here we go!

TLDR;
https://www.nova-labs.net/opnsense-and-enabling-suricata-rules/

The how-to is a bit long, but outlined are three policy rules that once enabled allow a much wider/deeper view of the network traffic being inspected.

This will raise your CPU utilization, and if you do not add the third Policy, and disable a select few SIDs, can cause quite a bit of event/alert explosion as a few of the DNS/TLS/SNI rules fire each DNS resolution/TLS connection.

The guide starts by broadly enabling (first 2 policies), and then disabling (third policy) whole matching groups of rules based on the SID/rule meta. Thank you OPNSense, realized the population of each meta and then was able to focus on what to use to enable with minimal Policies.

Last section in the guide is where you will be individually disabling 20+ rules/SIDs which should not negatively impact your OPNSense router, we are keeping the individual rule mods in low populations.

Here's a first step before you even read the whole guide (you will likely want to have your OPNSense with a working internet connection to get through this guide and be able to get this initial step out of the way):


Please feel free to suggest modifications, or share your experience here.
Looking to learn more, but share what's being explored!

[valsimot]

Thank you for this!
I did not have the option to install the pt-open plugin. I wonder why it wouldn't be present?

[jlficken]

I don't have the option for the second plugin either.

[Mars79]

The pt-open plugin was removed from OPNsense a while ago since the ruleset itself has been discontinued since September 22, 2022.
See: https://github.com/ptresearch/AttackDetection

Best to remove it from OPNsense if you have it installed, ruleset is no longer maintained and can even give a false feeling of security.

[OCT0PUSCRIME]

I tried to follow the guide, but when making the policies, none of the options show up, like "signature severity" or "class type" until I download and enable rules. Are you downloading and enabling all rules before doing these policy setups?

I ask because I went ahead and set up suricata with the rules that I desire, without doing your policies. I notice that all rules are set to Alert. So if I look at my alerts it's giving me the alerts and stating "Action = Allowed". I am confused by this because I thought enabling IPS mode would add blocks as well.

Edit: reading other posts in the forum, I realize I need to set the rules to drop https://forum.opnsense.org/index.php?topic=6930.0

Once you have all your rules enabled, you need to edit each ruleset and select 'Change all alerts to drop action'

This doesn't appear to be an option on my rule sets, only the individual rules themselves... Do I seriously need to edit all 150K+ rules to drop?... Do your policies take care of this?

[Greg_E]

The default action is allow, they do this so that you are kicked offline when installing it. Then you need to fine tune the rules to block the things you want blocked. It's a process, and sometimes you block something and it breaks a service you were using.

[erica.vh]

after setting rules in policy, go back to Administration/download and click "Download and update rules"

Another good source: https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/

[someone]

I run all rules
Except when you want certain social media, or paypal, you need to create another policy to allow those, other words disable rules that block it
So I disable one policy and enable another depending on what I want to do.