====== PFSense - Suricata - Install Suricata - Have Suricata Monitor the WAN Interface ======

Navigate to **Services -> Suricata -> Interfaces**.

Click **Add**.

In **General Settings**:

  * Enable:  **Checked**.
  * Interface:  **WAN (pppoe0)**.
  * Description:  **WAN**.

{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_general_settings.png?800|}}

----

In **Logging Settings**:

  * Send Alerts to System Log:  **Not Checked**.
  * Enable Stats Collection:  **Not Checked**.
  * Enable HTTP Log:  **Checked**.
  * Append HTTP Log:  **Checked**.
  * Log Extended HTTP Info:  **Checked**.
  * Enable TLS Log:  **Not Checked**.
  * Enable File-Store:  **Not Checked**.
  * Enable Packet Log:  **Not Checked**.

{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_logging_settings.png?800|}}

----

In **EVE Output Settings**:

  * EVE JSON Log:  **Not Checked**.

{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_eve_output_settings.png?800|}}

----

In **Alert and Block Settings**:

  * Block Offenders:  **Checked**.
  * IPS Mode:  **Legacy Mode**.
  * Kill States:  **Checked**.
  * Which IP to Block:  **Both**.
  * Block On DROP Only:  **Not Checked**.

{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_alert_and_block_settings.png?800|}}

----

In **Performance and Detection Engine Settings**:

  * Run Mode:  **AutoFP**.
  * Max Pending Packets:  **1024**.
  * Detect-Engine Profile:  **High**.
  * Pattern Matcher Algorithm:  **Auto**.
  * Signature Group Header MPM Context:  **Auto**.
  * Inspection Recursion Limit:  **3000**.
  * Delayed Detect:  **Not Checked**.
  * Promiscuous Mode:  **Checked**.
  * Interface PCAP Snaplen:  **1518**.

{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_performance_and_detection_engine_settings.png?800|}}

----

In **Networks Suricata Should Inspect and Protect**:

  * Home Net:  **default**:
  * External Net:  **default**.
  * Pass List:  **default**.

{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_networks_suricata_should_inspect_and_protect.png?800|}}

----

In **Alert Suppression and Filtering**:

  * Alert Suppression and Filtering:  **WANSuppressList**.  Changed from default.

{{:pfsense:suricata:install_suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_alert_suppression_and_filtering.png?600|}}

----

In **Arguments here will be automatically inserted into the Suricata configuration**:

  * Advanced Configuration Pass-Through:  **<blank>**.

{{:pfsense:suricata:pfsense_-_services_-_suricata_-_edit_interface_settings_-_wan_-_arguments_here_will_be_automatically_inserted_into_the_suricata_configuration.png?800|}}

----

===== Set Categories for the WAN Interface to Monitor =====

Click on **WAN Categories**.

In **Select the rulesets (Categories) Suricata will load at startup**:

  * Within each Ruleset, click the checkbox against whichever rules to enable.
  * Ruleset: ET Open Rules:
    * emerging-attack_response.rules
    * emerging-botcc.portgrouped.rules
    * emerging-botcc.rules
    * emerging-ciarmy.rules
    * emerging-coinminer.rules
    * emerging-compromised.rules
    * emerging-current_events.rules
    * emerging-dos.rules
    * emerging-dshield.rules
    * emerging-exploit.rules
    * emerging-malware.rules
    * emerging-mobile_malware.rules
    * emerging-phishing.rules
    * emerging-scan.rules
    * emerging-worm.rules
  * Ruleset: Snort Text Rules:
    * snort_attack-responses.rules
    * snort_backdoor.rules
    * snort_bad-traffic.rules
    * snort_blacklist.rules
    * snort_botnet-cnc.rules
    * snort_ddos.rules
    * snort_dos.rules
    * snort_exploit-kit.rules
    * snort_exploit.rules
    * snort_malware-backdoor.rules
    * snort_malware-cnc.rules
    * snort_malware-other.rules
    * snort_malware-tools.rules
    * snort_phishing-spam.rules
    * snort_policy-spam.rules
    * snort_scan.rules
    * snort_specific-threats.rules
    * snort_spyware-put.rules
    * snort_virus.rules
    * snort_web-attacks.rules

<WRAP info>
**NOTE:**  Do not select all categories, as this will produce too many false positives and lots of time to get right.
</WRAP>


----

===== Start Suricata on WAN =====

Navigate to **Services -> Suricata -> Interfaces**.

Click the **start** button.

{{:pfsense:suricata:install_suricata:pfsense_-_services_-_suricata_-_interfaces_-_wan_-_start.png?800|}}

----

Return to [[PFSense:Suricata:Install Suricata]] or continue to [[PFSense:Suricata:Install Suricata:Have Suricata Monitor the LAN Interface|Have Suricata Monitor the LAN Interface]].

----