====== PFSense - Suricata - Install Suricata - Create Suppress Lists ====== To suppress certain snort and ET signatures since initially there a bunch of False Positives. I prefer having different Suppress lists for each interface. ---- ===== Create a Suppress List for the WAN Interface ===== Navigate to **Services -> Suricata -> Suppress**. * Click **Add**. * Name: **WANSuppressList**. * Description: **WAN Suppress List**. * Click **Save**. ---- ===== Create a Suppress List for the LAN Interface ===== Navigate to **Services -> Suricata -> Suppress**. * Click **Add**. * Name: **LANSuppressList**. * Description: **LAN Suppress List**. * Click **Save**. ---- ===== Create a Suppress List for the CLEAR Interface ===== Navigate to **Services -> Suricata -> Suppress**. * Click **Add**. * Name: **ClearSuppressList**. * Description: **Clear Suppress List**. * Click **Save**. ---- ===== Create a Suppress List for the IOT Interface ===== Navigate to **Services -> Suricata -> Suppress**. * Click **Add**. * Name: **IOTSuppressList**. * Description: **IOT Suppress List**. * Click **Save**. ---- ===== Create a Suppress List for the GUEST Interface ===== Navigate to **Services -> Suricata -> Suppress**. * Click **Add**. * Name: **GuestSuppressList**. * Description: **GUEST Suppress List**. * Click **Save**. ---- Return to [[PFSense:Suricata:Install Suricata]] or continue to [[PFSense:Suricata:Install Suricata:Have Suricata Monitor the WAN Interface|Have Suricata Monitor the WAN Interface]]. ---- ===== Pass List ===== **ALERT:** DO NOT CREATE A PASS LIST!!! At **Services -> Suricata -> Pass List**. Realistically, about the only time that you should require a Passlist is if you are running a honeypot host and you actually want bad stuff to find its way to that host. In that situation, a passlist makes sense. For about any other case, it does not. Use custom PASS rules instead if you really need passlist functionality.