Navigate to System → Package Manager → Available Packages.

Search for suricata.

Install it.

The Installation Completes:

Enter settings to download Snort and ET rules.

Navigate to Services → Suricata → Global Settings.

In Please Choose The Type Of Rules You Wish To Download:

• Install ETOpen Emerging Threats rules: Checked.
• Install ETPro Emerging Threats rules: Not Checked.
• ETPro Subscription Configuration Code: <blank>.
• Install Snort rules: Checked.
• Snort Rules Filename: snortrules-snapshot-29170.tar.gz.
• Snort Oinkmaster Code: Set this to your personal Oinkmaster Code obtained from your snort account page.
• Install Snort GPLv2 Community rules: Checked.
• Hide Deprecated Rules Categories: Not Checked.

In Rules Update Settings:

• Update Interval: 6 Hours.
• Update Start Time: 00:10. The default.
• Live Rule Swap on Update: Checked.
• GeoLite2 DB Update: Checked.
• GeoLite2 DB License Key: Enter your personal MaxMind GeoLite2 DB key.

In General Settings:

• Remove Blocked Hosts Interval: 1 Hour
• Log to System Log: Not Checked.
• Keep Suricata Settings After Deinstall: Checked.

Navigate to Services → Suricata → Updates.

Click Update.

Navigate to Services → Suricata → Interfaces.

Click Add.

In General Settings:

• Enable: Checked.
• Interface: WAN (pppoe0).
• Description: WAN.

In Logging Settings:

• Send Alerts to System Log: Not Checked.
• Enable Stats Collection: Not Checked.
• Enable HTTP Log: Checked.
• Append HTTP Log: Checked.
• Log Extended HTTP Info: Checked.
• Enable TLS Log: Not Checked.
• Enable File-Store: Not Checked.
• Enable Packet Log: Not Checked.

In EVE Output Settings:

• EVE JSON Log: Not Checked.

In Alert and Block Settings:

• Block Offenders: Checked.
• IPS Mode: Legacy Mode.
• Kill States: Checked.
• Which IP to Block: Both.
• Block On DROP Only: Not Checked.

In Performance and Detection Engine Settings:

• Run Mode: AutoFP.
• Max Pending Packets: 1024.
• Detect-Engine Profile: High.
• Pattern Matcher Algorithm: Auto.
• Signature Group Header MPM Context: Auto.
• Inspection Recursion Limit: 3000.
• Delayed Detect: Not Checked.
• Promiscuous Mode: Checked.
• Interface PCAP Snaplen: 1518.

In Networks Suricata Should Inspect and Protect:

• Home Net: default:
• External Net: default.
• Pass List: default.

In Alert Suppression and Filtering:

• Alert Suppression and Filtering: default.

In Arguments here will be automatically inserted into the Suricata configuration:

• Advanced Configuration Pass-Through: <blank>.

Click on WAN Categories.

In Select the rulesets (Categories) Suricata will load at startup:

• Within each Ruleset, click the checkbox against whichever rules to enable.
• Ruleset: ET Open Rules:
  • emerging-attack_response.rules
  • emerging-botcc.portgrouped.rules
  • emerging-botcc.rules
  • emerging-ciarmy.rules
  • emerging-coinminer.rules
  • emerging-compromised.rules
  • emerging-current_events.rules
  • emerging-dos.rules
  • emerging-dshield.rules
  • emerging-exploit.rules
  • emerging-malware.rules
  • emerging-mobile_malware.rules
  • emerging-phishing.rules
  • emerging-scan.rules
  • emerging-worm.rules
• Ruleset: Snort Text Rules:
  • snort_attack-responses.rules
  • snort_backdoor.rules
  • snort_bad-traffic.rules
  • snort_blacklist.rules
  • snort_botnet-cnc.rules
  • snort_ddos.rules
  • snort_dos.rules
  • snort_exploit-kit.rules
  • snort_exploit.rules
  • snort_malware-backdoor.rules
  • snort_malware-cnc.rules
  • snort_malware-other.rules
  • snort_malware-tools.rules
  • snort_phishing-spam.rules
  • snort_policy-spam.rules
  • snort_scan.rules
  • snort_specific-threats.rules
  • snort_spyware-put.rules
  • snort_virus.rules
  • snort_web-attacks.rules

Navigate to Services → Suricata → Pass List.

To suppress certain snort and ET signatures since initially there a bunch of False Positives.

This is accomplished under Services → Suricata → Suppress.

Here are some of the signatures that I suppressed:

pf-supp-list-config.png

On top of the suppress list you can also choose what rule categories to enable under Services → Suricata → Interfaces → WAN Categories:

ps-enable-rules-per

Since I already had a snorby setup (and this one), I decided to send the events to the snorby database. This is accomplished under Services → Suricata → Interface → WAN Barnyard2:

pf-barnyard-setup Configure Logging And Other Parameters

Now under the main config for the interface let's enable it and setup logging. Under Servces → Suricata → Interface → WAN settings I had the following:

pf-interface-sett-1.png

And down below I enabled the lists that I had created before:

pf-int-assign-supp-pass-list

I also disabled the http extending logging along with tracked files since I was sending the logs over syslog and the JSON was getting truncated (this will help out later for the ELK setup):

pf-suricat-log-options Enable Watchdog

Another optional thing you can do is install Service Watchdog:

pf-watchdog-installed

And under Services → Service Watchdog enable it to monitor the Suricata Service:

pf-service-watchdog-suricata Check Out the Config

You can ssh to the pfSense machine and check out all the settings. After it was initialized the machine was pretty idle:

[2.3-RELEASE][root@pf.kar.int]/root: top -CPz -o cpu -n last pid: 69987; load averages: 0.08, 0.06, 0.07 up 6+07:27:23 17:38:06 41 processes: 1 running, 40 sleeping

Mem: 299M Active, 484M Inact, 260M Wired, 383M Buf, 2870M Free Swap: 4096M Total, 4096M Free

PID USERNAME  THR PRI NICE   SIZE    RES STATE   C   TIME     CPU COMMAND

35582 root 7 20 0 696M 593M uwait 1 8:21 2.78% suricata 35368 root 1 20 0 134M 99440K nanslp 0 14:56 0.00% barnyard2 15529 root 1 20 0 16676K 2256K bpf 0 4:54 0.00% filterlog 22872 root 5 20 0 27300K 2448K accept 1 3:55 0.00% dpinger 46428 root 1 52 20 17000K 2564K wait 0 3:53 0.00% sh 37472 unbound 2 20 0 63304K 34280K kqread 1 3:06 0.00% unbound

It looks like it starts a suricata instance per interface:

[2.3-RELEASE][root@pf.kar.int]/root: ps auwwx | grep suricata root 35582 2.9 14.7 713016 607712 - Ss 2:36PM 8:24.77 /usr/local/bin/suricata -i re0 -D -c /usr/local/etc/suricata/suricata_34499_re0/suricata.yaml –pidfile /var/run/suricata_re034499.pid root 35368 0.0 2.4 137684 99440 - S 2:36PM 14:56.48 /usr/local/bin/barnyard2 -r 34499 -f unified2.alert –pid-path /var/run –nolock-pidfile -c /usr/local/etc/suricata/suricata_34499_re0/barnyard2.conf -d /var/log/suricata/suricata_re034499 -D -q root 90667 0.0 0.1 18740 2252 0 S+ 5:39PM 0:00.00 grep suricata

And you can check out all the logs under /var/log/suricata/INSTANCE:

[2.3-RELEASE][root@pf.kar.int]/root: ls -1 /var/log/suricata/suricata_re034499/ alerts.log alerts.log.2016_0501_1750 barnyard2 http.log suricata.log unified2.alert.1462653477

And you will also notice that it creates a cronjob to monitor the services:

[2.3-RELEASE][root@pf.kar.int]/root: grep watch /etc/crontab */1 * * * * root /usr/local/pkg/servicewatchdog_cron.php