--- title: OpnSense-IDS/IPS description: IDS published: true date: 2026-02-23T21:51:49.920Z tags: editor: markdown dateCreated: 2026-02-23T21:49:16.861Z --- # Suricata IDS/IPS **Service:** Suricata Intrusion Detection & Prevention System **Host:** OPNsense firewall **Interfaces:** ATT (opt1) — add WAN (igc0) while still active **Mode:** IPS (inline blocking) **Rulesets:** ET Open, Feodo Tracker, Abuse.ch SSL --- ## Overview Suricata is OPNsense's built-in deep packet inspection engine. Unlike CrowdSec (which blocks based on IP reputation) and GeoIP (which blocks by country), Suricata inspects the **content** of traffic — detecting exploit patterns, malware C2 communication, vulnerability scans, and known CVE exploitation attempts in real time. The two systems complement each other and do not overlap: | Layer | Tool | What It Stops | |---|---|---| | IP reputation | CrowdSec | Known bad IPs from community threat intel | | Geography | GeoIP | Traffic from blocked countries | | Content inspection | Suricata | Malicious payloads, exploit patterns, C2 traffic | Suricata uses **Netmap** for high-performance inline packet processing with minimal CPU overhead. > ⚠ **Before enabling IPS mode:** Disable hardware offloading on your interfaces or Netmap will not function correctly. This is done in **Interfaces → Settings**. --- ## Pre-requisite: Disable Hardware Offloading 1. Go to **Interfaces → Settings** 2. Disable the following options: - Hardware CRC - Hardware TSO - Hardware LRO - VLAN Hardware Filtering 3. Click **Save** 4. Reboot the firewall > ✓ This is a one-time change. It has no meaningful impact on performance for home/small business use and is required for Suricata IPS mode to function. --- ## Installation Suricata is built into OPNsense — no plugin install required. Navigate directly to: **Services → Intrusion Detection → Administration** --- ## Configuration ### Step 1 — General Settings Navigate to **Services → Intrusion Detection → Administration** | Setting | Value | Notes | |---|---|---| | Enabled | ✓ | Turns on the IDS/IPS engine | | IPS Mode | ✓ | Enables inline blocking (not just alerting) | | Promiscuous Mode | Leave default | Only needed for mirrored traffic setups | | Default Packet Size | Leave default | Auto-detected | | Interfaces | ATT, WAN | Add both while dual-WAN is active; remove WAN after migration | | Home Networks | 192.168.3.0/24, 192.168.5.0/24, 192.168.32.0/24 | Your internal subnets — critical for rule accuracy | | Log Level | Info | | | Log Retention | 7 days | Adjust based on disk space | > ⚠ **Home Networks is critical.** Suricata rules use `$HOME_NET` and `$EXTERNAL_NET` to determine direction. If your internal subnets are not listed here, many rules will fail to trigger correctly or will produce false positives. Click **Apply** after setting these values. ### Step 2 — Download Rulesets Navigate to **Services → Intrusion Detection → Download** Enable the following rulesets: | Ruleset | Provider | Priority | Notes | |---|---|---|---| | ET Open | Proofpoint Emerging Threats | 🔴 Essential | Comprehensive free ruleset — 40,000+ rules covering exploits, malware, scanning, C2 | | Abuse.ch SSL Blacklist | Abuse.ch | 🔴 Essential | Blocks connections to malicious SSL certificates used by malware | | Feodo Tracker Botnet | Abuse.ch | 🔴 Essential | Blocks botnet C2 IP communication | | OSIF | OPNsense | 🟡 Recommended | OPNsense internal feed | | PT Research | Positive Technologies | 🟡 Recommended | Additional threat intelligence | To enable each ruleset: 1. Find it in the list 2. Toggle the **Enabled** switch 3. Click **Download & Update Rules** at the top of the page > ✓ ET Open is the most important ruleset. It is maintained by Proofpoint, updated daily, and covers the vast majority of common attack patterns you will encounter. ### Step 3 — Configure Policies Policies control what Suricata does when a rule matches — alert only, or drop the packet. Navigate to **Services → Intrusion Detection → Policy** **Recommended policy setup:** Add the following policies in order: **Policy 1 — Drop high-severity ET threats** | Field | Value | |---|---| | Description | Drop ET High Severity | | Priority | 1 | | Rulesets | ET Open | | Action | Drop | | Severity | ≥ High | **Policy 2 — Alert on medium-severity (tuning period)** | Field | Value | |---|---| | Description | Alert ET Medium | | Priority | 2 | | Rulesets | ET Open | | Action | Alert | | Severity | Medium | **Policy 3 — Drop all Feodo/Abuse.ch matches** | Field | Value | |---|---| | Description | Drop Botnet C2 and SSL Blacklist | | Priority | 1 | | Rulesets | Feodo Tracker, Abuse.ch SSL | | Action | Drop | | Severity | Any | > ✓ Start with medium-severity rules in **alert** mode for the first 1–2 weeks. Review alerts in the log for false positives before switching to drop. High-severity rules and the abuse.ch lists are safe to drop immediately. ### Step 4 — Apply and Verify 1. Click **Apply** on the Administration tab 2. Navigate to **Services → Intrusion Detection → Alerts** 3. Wait a few minutes — alerts should begin populating 4. Check **Services → Intrusion Detection → Stats** to confirm traffic is being processed --- ## Tuning & False Positives After running in alert mode for a week, review the Alerts tab. Common false positives from home lab environments include: - **Nextcloud sync traffic** — may trigger file transfer rules - **Torrents/P2P** — will trigger multiple ET rules by design - **Internal port scanning tools** — Nmap from internal hosts triggers scan rules To suppress a false positive rule without disabling it entirely: 1. Note the rule SID from the alert 2. Go to **Services → Intrusion Detection → Rules** 3. Search for the SID 4. Change the rule action to **Alert** (instead of Drop) for that specific rule Alternatively, add a suppression in **Services → Intrusion Detection → Suppressions**: - Enter the SID - Set the direction (source or destination) - Enter the IP to suppress for that rule --- ## Monitoring ### Alert Dashboard **Services → Intrusion Detection → Alerts** — real-time view of matched rules. Useful filters: - Filter by `severity: high` to see the most critical events - Filter by `action: drop` to see what is being actively blocked - Filter by source IP to investigate a specific host ### Graylog Integration Forward Suricata alerts to Graylog for centralized analysis: 1. Suricata logs to `/var/log/suricata/eve.json` in EVE JSON format 2. In Graylog, add a **Beats input** or **Syslog UDP input** 3. In OPNsense **System → Settings → Logging → Remote**, add Graylog as syslog target 4. Create a Graylog stream filtering on `application_name: suricata` --- ## Key Files & Paths | Path | Purpose | |---|---| | `/var/log/suricata/eve.json` | EVE JSON alert log — used by Graylog | | `/var/log/suricata/stats.log` | Performance statistics | | `/usr/local/etc/suricata/suricata.yaml` | Main config (managed by OPNsense UI) | | `/usr/local/share/suricata/rules/` | Downloaded rulesets | --- ## Related Documentation - [OPNsense Firewall](./opnsense-firewall) — parent firewall documentation - [CrowdSec](./crowdsec) — complementary IP reputation layer - [Additional Blocklists](./opnsense-blocklists) — Feodo, Abuse.ch, ET IP blocklists at firewall level - [Graylog](./graylog) — centralized log target for Suricata alerts