Block P2P Traffic with pfSense using

Suricata IPS
by sandeep sandeep •

With the introduction of Suricata IPS in pfSense, we have better control over application filtering.
Suricata has better performance with its multi-threaded approach.Also with pfSense version 2.3, it can
work on either legacy mode or on in-line mode.In-line mode gives better performance result as it need
not to copy the packets for inspection. Also it can drop the packets before processed by pfSense ‘pf’
rules.That really is an advantage over Snort and legacy modes of Suricata itself.

Below are the steps required to make Suricata working with pfSense.

1. a. Make sure the pre-requirement for the Suricata is in place. Suricata works with most of the
standard network cards which supports ‘netmap’ functionality. Most intel cards with ’em’ or ‘igb’
interface names will support this.

b. Make sure the following options are selected on System > Advanced >

Networking.

i) Disable hardware checksum offload.

ii) Disable hardware TCP segmentation offload.

iii) Disable hardware large receive offload.

2. Install Suricata IPS through the Package Manager.

3. Once this is enabled, the ‘Suricata’ sub-menu will appear under Services

drop-down menu. First we need to set the Global Settings of Suricata as below.
Please note that Oinkmaster code is the auto-generated api key code under

your snort.org login profile. After pasting the content, enable logging and select

update interval as 1 day.

4. After this you need to manually update the rule-set from updates menu to

make sure the updates are getting loaded to rule-sets. A working updates will be

looking as below.

5. Next is our important configuration options to enable IPS on interfaces which

we required. I would suggest you to enable on both LAN and WAN Interfaces
to have better control over the traffic.

6. On each interface, make sure that you select ‘Block Offenders’ and select

IPS mode as ‘Inline Mode’. Other settings can be the default options.

7. Make sure that default IPS policy selection is unchecked to enable only the

required category. In our case we want to do only p2p inspection as below.

8. Under ‘ WAN/LAN Rules’ Select all categories other than Emerging P2P rules

and select the ‘Disable All’ to avoid any false positive traffic blocking. This step is

very important If you are testing this on production environment.

9. Select Emerging P2P Rules and select Enable All. You also need to go

through each rules and make rule action from default Alert to Drop as below.

10. Repeat this changes on all the interfaces. Other settings on the interfaces

can be default. Apply the rules and restart Suricata service to make sure

changes are applied and service is running with new changes.

11. Now you can start the Torrent client and try downloading any files. You may
notice that Suricata drops it from the first packet itself.

12. Under the Alerts tab, you would be able to see that packets are getting dropped

Since we run it on inline mode, both the alerts and dropped packets will be visibile

only on the ‘Alerts’ menu as below.

13. Once we enable logs on each interface, a detailed logs out put is visible under

logs view.