With the introduction of Suricata IPS in pfSense, we have better control over application filtering. Suricata has better performance with its multi-threaded approach.Also with pfSense version 2.3, it can work on either legacy mode or on in-line mode.In-line mode gives better performance result as it need not to copy the packets for inspection. Also it can drop the packets before processed by pfSense ‘pf’ rules.That really is an advantage over Snort and legacy modes of Suricata itself.
Below are the steps required to make Suricata working with pfSense.
- a. Make sure the pre-requirement for the Suricata is in place. Suricata works with most of the standard network cards which supports ‘netmap’ functionality. Most intel cards with ’em’ or ‘igb’ interface names will support this.
b. Make sure the following options are selected on System > Advanced >
i) Disable hardware checksum offload.
ii) Disable hardware TCP segmentation offload.
iii) Disable hardware large receive offload.
2. Install Suricata IPS through the Package Manager.
3. Once this is enabled, the ‘Suricata’ sub-menu will appear under Services
drop-down menu. First we need to set the Global Settings of Suricata as below.
Please note that Oinkmaster code is the auto-generated api key code under
your snort.org login profile. After pasting the content, enable logging and select
update interval as 1 day.
4. After this you need to manually update the rule-set from updates menu to
make sure the updates are getting loaded to rule-sets. A working updates will be
looking as below.
5. Next is our important configuration options to enable IPS on interfaces which
we required. I would suggest you to enable on both LAN and WAN Interfaces
to have better control over the traffic.
6. On each interface, make sure that you select ‘Block Offenders’ and select
7. Make sure that default IPS policy selection is unchecked to enable only the
required category. In our case we want to do only p2p inspection as below.
8. Under ‘ WAN/LAN Rules’ Select all categories other than Emerging P2P rules
and select the ‘Disable All’ to avoid any false positive traffic blocking. This step is
very important If you are testing this on production environment.
9. Select Emerging P2P Rules and select Enable All. You also need to go
through each rules and make rule action from default Alert to Drop as below.
10. Repeat this changes on all the interfaces. Other settings on the interfaces
can be default. Apply the rules and restart Suricata service to make sure
changes are applied and service is running with new changes.
11. Now you can start the Torrent client and try downloading any files. You may
12. Under the Alerts tab, you would be able to see that packets are getting dropped
Since we run it on inline mode, both the alerts and dropped packets will be visibile
only on the ‘Alerts’ menu as below.
13. Once we enable logs on each interface, a detailed logs out put is visible under