Skip to main content

Enabling Suricata Rules on OPNsense Firewall

Do You Need to Enable Your IPS? (Suricata on OPNsense)?

Short answer is no, especially if you have no open ports or port forwarding. Suricata inspects all network traffic in and out of your network, providing an additional layer of security by spotting vulnerabilities and suspicious activity.

Backup Your OPNsense Firewall First

Before changes, always back up:

  1. Log in to your OPNsense machine
  2. Go to System > Configuration > Backups
  3. Select Download Configuration

See the Emerging Threats Rules list to know what will be blocked.

Enable Emerging Threats (ET) Open Rules in Suricata

Steps:

  1. Log into OPNsense Web GUI
  2. Navigate to Services > Intrusion Detection > Administration
  3. Check Enable at top if Suricata is off
  4. Also check IPS Mode
  5. Go to Download tab, under Rule Sets
  6. Enable Emerging Threats Open rule sets (enable what you need; more rules use more resources)

Common recommended rule categories:

Category NameDescriptionWhy Enable?
emerging-exploitDetect exploits against vulnerabilitiesCaptures common attack vectors on patchable software
emerging-malwareMalware communications and payloadsBlocks malware control and payload communication
emerging-scanNetwork scanning detectionDetects attackers probing your network
emerging-phishingPhishing URL and traffic detectionPrevents credential theft and social engineering
emerging-dosDenial-of-service attack detectionDetects volume or targeted DoS attacks
emerging-attack_responsePost-exploitation attacker behaviorSpots lateral movement or persistence
emerging-botcc*Botnet command & controlPrevents infected hosts from communicating with attackers
emerging-web_serverWeb server attack preventionProtects vulnerable web apps
emerging-ftp/smtp/dns/pop3Protocol-specific attacksCovers common service attack vectors
emerging-snmpSNMP protocol abusesDetects infrastructure misuses
emerging-sqlSQL Injection and DB attacksProtects against database attacks

*If available in your rule set.

  1. Click Enable selected
  2. Go to Rules tab → Rules, enable rules as required
  3. Schedule automatic updates weekly under Schedule tab:

Minutes: 0

Hours: 0

Day of the month: 1

Months: *

Days of the week: *

  1. Save and apply changes.

Verify Emerging Threats is Working

  1. Enable SSH under System > Settings > Administration
  2. SSH into OPNsense:
ssh <username>@<opnsense_ip>
  1. Select option 8 for shell
  2. Run:
curl http://testmynids.org/uid/index.html
  1. Check logs at Services > Intrusion Detection > Administration > Alerts in the OPNsense dashboard
  2. Disable SSH in OPNsense dashboard if no longer needed.

Suricata now monitors your traffic using community-maintained Emerging Threats Open threat signatures.

Follow Us on Social Media

YouTube
Discord
Patreon
Reddit
Rumble