Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs) (Read 4060 times)
jonny5
Newbie
Posts: 35
Karma: 3
How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
on:
February 02, 2024, 06:40:54 pm »
Looking to enable additional Suricata IDS Rules / SIDs? Just wrote a how-to w/screenshots, here we go!
TLDR;
https://www.nova-labs.net/opnsense-and-enabling-suricata-rules/
The how-to is a bit long, but outlined are three policy rules that once enabled allow a much wider/deeper view of the network traffic being inspected.
This will raise your CPU utilization, and if you do not add the third Policy, and disable a select few SIDs, can cause quite a bit of event/alert explosion as a few of the DNS/TLS/SNI rules fire each DNS resolution/TLS connection.
The guide starts by broadly enabling (first 2 policies), and then disabling (third policy) whole matching groups of rules based on the SID/rule meta. Thank you OPNSense, realized the population of each meta and then was able to focus on what to use to enable with minimal Policies.
Last section in the guide is where you will be individually disabling 20+ rules/SIDs which should not negatively impact your OPNSense router, we are keeping the individual rule mods in low populations.
Here's a first step before you even read the whole guide (you will likely want to have your OPNSense with a working internet connection to get through this guide and be able to get this initial step out of the way):
Please feel free to suggest modifications, or share your experience here.
Looking to learn more, but share what's being explored!
«
Last Edit: February 02, 2024, 07:12:23 pm by jonny5
»
Logged
valsimot
Newbie
Posts: 1
Karma: 0
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #1 on:
April 06, 2024, 06:23:18 pm »
Thank you for this!
I did not have the option to install the pt-open plugin. I wonder why it wouldn't be present?
Logged
jlficken
Newbie
Posts: 16
Karma: 2
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #2 on:
April 06, 2024, 10:45:03 pm »
I don’t have the option for the second plugin either.
Logged
Mars79
Newbie
Posts: 22
Karma: 3
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #3 on:
April 16, 2024, 09:14:10 pm »
The pt-open plugin was removed from OPNsense a while ago since the ruleset itself has been discontinued since September 22, 2022.
See:
https://github.com/ptresearch/AttackDetection
Best to remove it from OPNsense if you have it installed, ruleset is no longer maintained and can even give a false feeling of security.
Logged
OCT0PUSCRIME
Newbie
Posts: 2
Karma: 0
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #4 on:
September 21, 2024, 02:36:34 am »
I tried to follow the guide, but when making the policies, none of the options show up, like "signature severity" or "class type" until I download and enable rules. Are you downloading and enabling all rules before doing these policy setups?
I ask because I went ahead and set up suricata with the rules that I desire, without doing your policies. I notice that all rules are set to Alert. So if I look at my alerts it's giving me the alerts and stating "Action = Allowed". I am confused by this because I thought enabling IPS mode would add blocks as well.
Edit: reading other posts in the forum, I realize I need to set the rules to drop
https://forum.opnsense.org/index.php?topic=6930.0
Once you have all your rules enabled, you need to edit each ruleset and select 'Change all alerts to drop action'
This doesn't appear to be an option on my rule sets, only the individual rules themselves... Do I seriously need to edit all 150K+ rules to drop?... Do your policies take care of this?
«
Last Edit: September 21, 2024, 02:50:30 am by OCT0PUSCRIME
»
Logged
Greg_E
Sr. Member
Posts: 342
Karma: 19
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #5 on:
September 23, 2024, 03:59:23 pm »
The default action is allow, they do this so that you are kicked offline when installing it. Then you need to fine tune the rules to block the things you want blocked. It's a process, and sometimes you block something and it breaks a service you were using.
Logged
erica.vh
Newbie
Posts: 11
Karma: 0
niah niah niah
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #6 on:
October 05, 2024, 03:24:14 pm »
after setting rules in policy, go back to Administration/download and click "Download and update rules"
Another good source:
https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/
Logged
someone
Full Member
Posts: 115
Karma: 2
Re: How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)
«
Reply #7 on:
October 06, 2024, 07:00:14 pm »
I run all rules
Except when you want certain social media, or paypal, you need to create another policy to allow those, other words disable rules that block it
So I disable one policy and enable another depending on what I want to do.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
How to enable via Policy and Rules useful Suricata IDS Rules (SIDs)