Professional Documents
Culture Documents
Bloqueio de Trafego Usando Ips No Pfsense
Bloqueio de Trafego Usando Ips No Pfsense
Suricata IPS
by sandeep sandeep •
With the introduction of Suricata IPS in pfSense, we have better control over application filtering.
Suricata has better performance with its multi-threaded approach.Also with pfSense version 2.3, it can
work on either legacy mode or on in-line mode.In-line mode gives better performance result as it need
not to copy the packets for inspection. Also it can drop the packets before processed by pfSense ‘pf’
rules.That really is an advantage over Snort and legacy modes of Suricata itself.
Below are the steps required to make Suricata working with pfSense.
1. a. Make sure the pre-requirement for the Suricata is in place. Suricata works with most of the
standard network cards which supports ‘netmap’ functionality. Most intel cards with ’em’ or ‘igb’
interface names will support this.
b. Make sure the following options are selected on System > Advanced >
Networking.
3. Once this is enabled, the ‘Suricata’ sub-menu will appear under Services
drop-down menu. First we need to set the Global Settings of Suricata as below.
Please note that Oinkmaster code is the auto-generated api key code under
your snort.org login profile. After pasting the content, enable logging and select
4. After this you need to manually update the rule-set from updates menu to
make sure the updates are getting loaded to rule-sets. A working updates will be
looking as below.
we required. I would suggest you to enable on both LAN and WAN Interfaces
to have better control over the traffic.
6. On each interface, make sure that you select ‘Block Offenders’ and select
IPS mode as ‘Inline Mode’. Other settings can be the default options.
7. Make sure that default IPS policy selection is unchecked to enable only the
8. Under ‘ WAN/LAN Rules’ Select all categories other than Emerging P2P rules
and select the ‘Disable All’ to avoid any false positive traffic blocking. This step is
through each rules and make rule action from default Alert to Drop as below.
10. Repeat this changes on all the interfaces. Other settings on the interfaces
can be default. Apply the rules and restart Suricata service to make sure
11. Now you can start the Torrent client and try downloading any files. You may
notice that Suricata drops it from the first packet itself.
12. Under the Alerts tab, you would be able to see that packets are getting dropped
Since we run it on inline mode, both the alerts and dropped packets will be visibile
logs view.