Differences

This shows you the differences between two versions of the page.

--- pfsense:suricata:install_suricata [2021/01/15 13:02] – peter
+++ pfsense:suricata:install_suricata [2021/01/22 13:59] (current) – [PFSense - Suricata - Install Suricata] peter
@@ Line 5: / Line 5: @@
   - [[PFSense:Suricata:Install Suricata:Install the Suricata Package|Install the Suricata Package]]
   - [[PFSense:Suricata:Install Suricata:Configure Global Settings|Configure Global Settings]]
+  - [[PFSense:Suricata:Install Suricata:Create Suppress Lists|Create Suppress Lists]]
+  - [[PFSense:Suricata:Install Suricata:Have Suricata Monitor the WAN Interface|Have Suricata Monitor the WAN Interface]]
+  - [[PFSense:Suricata:Install Suricata:Have Suricata Monitor the LAN Interface|Have Suricata Monitor the LAN Interface]]
 ----
-===== Enable Rule Download =====
-Enter settings to download Snort and ET rules.
-Navigate to **Services -> Suricata -> Global Settings**.
-In **Please Choose The Type Of Rules You Wish To Download**:
-  * Install ETOpen Emerging Threats rules:  **Checked**.
-  * Install ETPro Emerging Threats rules:  **Not Checked**.
-  * ETPro Subscription Configuration Code:  **<blank>**.
-  * Install Snort rules:  **Checked**.
-  * Snort Rules Filename:  **snortrules-snapshot-29170.tar.gz**.
-  * Snort Oinkmaster Code:  **Set this to your personal Oinkmaster Code obtained from your snort account page**.
-  * Install Snort GPLv2 Community rules:  **Checked**.
-  * Hide Deprecated Rules Categories:  **Not Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_global_settings_-_please_choose_the_type_of_rules_you_wish_to_download.png?800|}}
-----
-In **Rules Update Settings**:
-  * Update Interval:  **6 Hours**.
-  * Update Start Time:  **00:10**.  The default.
-  * Live Rule Swap on Update:  **Checked**.
-  * GeoLite2 DB Update:  **Checked**.
-  * GeoLite2 DB License Key:  **Enter your personal MaxMind GeoLite2 DB key**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_global_settings_-_rules_update_settings.png?800|}}
-----
-In **General Settings**:
-  * Remove Blocked Hosts Interval:  **1 Hour**
-  * Log to System Log:  **Not Checked**.
-  * Keep Suricata Settings After Deinstall:  **Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_global_settings_-_general_settings.png?800|}}
-----
-===== Manually update the rules =====
-Navigate to **Services -> Suricata -> Updates**.
-Click **Update**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_updates.png?800|}}
-----
-===== Have Suricata Monitor the WAN Interface =====
-Navigate to **Services -> Suricata -> Interfaces**.
-Click **Add**.
-In **General Settings**:
-  * Enable:  **Checked**.
-  * Interface:  **WAN (pppoe0)**.
-  * Description:  **WAN**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_general_settings.png?800|}}
-----
-In **Logging Settings**:
-  * Send Alerts to System Log:  **Not Checked**.
-  * Enable Stats Collection:  **Not Checked**.
-  * Enable HTTP Log:  **Checked**.
-  * Append HTTP Log:  **Checked**.
-  * Log Extended HTTP Info:  **Checked**.
-  * Enable TLS Log:  **Not Checked**.
-  * Enable File-Store:  **Not Checked**.
-  * Enable Packet Log:  **Not Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_logging_settings.png?800|}}
-----
-In **EVE Output Settings**:
-  * EVE JSON Log:  **Not Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_eve_output_settings.png?800|}}
-----
-In **Alert and Block Settings**:
-  * Block Offenders:  **Checked**.
-  * IPS Mode:  **Legacy Mode**.
-  * Kill States:  **Checked**.
-  * Which IP to Block:  **Both**.
-  * Block On DROP Only:  **Not Checked**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_alert_and_block_settings.png?800|}}
-----
-In **Performance and Detection Engine Settings**:
-  * Run Mode:  **AutoFP**.
-  * Max Pending Packets:  **1024**.
-  * Detect-Engine Profile:  **High**.
-  * Pattern Matcher Algorithm:  **Auto**.
-  * Signature Group Header MPM Context:  **Auto**.
-  * Inspection Recursion Limit:  **3000**.
-  * Delayed Detect:  **Not Checked**.
-  * Promiscuous Mode:  **Checked**.
-  * Interface PCAP Snaplen:  **1518**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_performance_and_detection_engine_settings.png?800|}}
-----
-In **Networks Suricata Should Inspect and Protect**:
-  * Home Net:  **default**:
-  * External Net:  **default**.
-  * Pass List:  **default**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_networks_suricata_should_inspect_and_protect.png?800|}}
-----
-In **Alert Suppression and Filtering**:
-  * Alert Suppression and Filtering:  **default**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_alert_suppression_and_filtering.png?800|}}
-----
-In **Arguments here will be automatically inserted into the Suricata configuration**:
-  * Advanced Configuration Pass-Through:  **<blank>**.
-{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_arguments_here_will_be_automatically_inserted_into_the_suricata_configuration.png?800|}}
-----
-===== Set Categories for the WAN Interface to Monitor =====
-Click on **WAN Categories**.
-In **Select the rulesets (Categories) Suricata will load at startup**:
-  * Within each Ruleset, click the checkbox against whichever rules to enable.
-  * Ruleset: ET Open Rules:
-    * emerging-attack_response.rules
-    * emerging-botcc.portgrouped.rules
-    * emerging-botcc.rules
-    * emerging-ciarmy.rules
-    * emerging-coinminer.rules
-    * emerging-compromised.rules
-    * emerging-current_events.rules
-    * emerging-dos.rules
-    * emerging-dshield.rules
-    * emerging-exploit.rules
-    * emerging-malware.rules
-    * emerging-mobile_malware.rules
-    * emerging-phishing.rules
-    * emerging-scan.rules
-    * emerging-worm.rules
-  * Ruleset: Snort Text Rules:
-    * snort_attack-responses.rules
-    * snort_backdoor.rules
-    * snort_bad-traffic.rules
-    * snort_blacklist.rules
-    * snort_botnet-cnc.rules
-    * snort_ddos.rules
-    * snort_dos.rules
-    * snort_exploit-kit.rules
-    * snort_exploit.rules
-    * snort_malware-backdoor.rules
-    * snort_malware-cnc.rules
-    * snort_malware-other.rules
-    * snort_malware-tools.rules
-    * snort_phishing-spam.rules
-    * snort_policy-spam.rules
-    * snort_scan.rules
-    * snort_specific-threats.rules
-    * snort_spyware-put.rules
-    * snort_virus.rules
-    * snort_web-attacks.rules
-----
-===== Create Lists =====
-==== Created a Pass List ====
-Navigate to **Services -> Suricata -> Pass List**.
-<WRAP alert>
-**ALERT:**  DO NOT CREATE A PASS LIST!!!
-Realistically, about the only time that you should require a Passlist is if you are running a honeypot host and you actually want bad stuff to find its way to that host.
-In that situation, a passlist makes sense.
-For about any other case, it does not.
-Use custom PASS rules instead if you really need passlist functionality.
-</WRAP>
-----
 ==== Created a suppress list ====