7.4 KiB
| title | description | published | date | tags | editor | dateCreated |
|---|---|---|---|---|---|---|
| OpnSense-IDS/IPS | IDS | true | 2026-02-23T21:51:49.920Z | markdown | 2026-02-23T21:49:16.861Z |
Suricata IDS/IPS
Service: Suricata Intrusion Detection & Prevention System Host: OPNsense firewall Interfaces: ATT (opt1) — add WAN (igc0) while still active Mode: IPS (inline blocking) Rulesets: ET Open, Feodo Tracker, Abuse.ch SSL
Overview
Suricata is OPNsense's built-in deep packet inspection engine. Unlike CrowdSec (which blocks based on IP reputation) and GeoIP (which blocks by country), Suricata inspects the content of traffic — detecting exploit patterns, malware C2 communication, vulnerability scans, and known CVE exploitation attempts in real time.
The two systems complement each other and do not overlap:
| Layer | Tool | What It Stops |
|---|---|---|
| IP reputation | CrowdSec | Known bad IPs from community threat intel |
| Geography | GeoIP | Traffic from blocked countries |
| Content inspection | Suricata | Malicious payloads, exploit patterns, C2 traffic |
Suricata uses Netmap for high-performance inline packet processing with minimal CPU overhead.
⚠ Before enabling IPS mode: Disable hardware offloading on your interfaces or Netmap will not function correctly. This is done in Interfaces → Settings.
Pre-requisite: Disable Hardware Offloading
- Go to Interfaces → Settings
- Disable the following options:
- Hardware CRC
- Hardware TSO
- Hardware LRO
- VLAN Hardware Filtering
- Click Save
- Reboot the firewall
✓ This is a one-time change. It has no meaningful impact on performance for home/small business use and is required for Suricata IPS mode to function.
Installation
Suricata is built into OPNsense — no plugin install required. Navigate directly to:
Services → Intrusion Detection → Administration
Configuration
Step 1 — General Settings
Navigate to Services → Intrusion Detection → Administration
| Setting | Value | Notes |
|---|---|---|
| Enabled | ✓ | Turns on the IDS/IPS engine |
| IPS Mode | ✓ | Enables inline blocking (not just alerting) |
| Promiscuous Mode | Leave default | Only needed for mirrored traffic setups |
| Default Packet Size | Leave default | Auto-detected |
| Interfaces | ATT, WAN | Add both while dual-WAN is active; remove WAN after migration |
| Home Networks | 192.168.3.0/24, 192.168.5.0/24, 192.168.32.0/24 | Your internal subnets — critical for rule accuracy |
| Log Level | Info | |
| Log Retention | 7 days | Adjust based on disk space |
⚠ Home Networks is critical. Suricata rules use
$HOME_NETand$EXTERNAL_NETto determine direction. If your internal subnets are not listed here, many rules will fail to trigger correctly or will produce false positives.
Click Apply after setting these values.
Step 2 — Download Rulesets
Navigate to Services → Intrusion Detection → Download
Enable the following rulesets:
| Ruleset | Provider | Priority | Notes |
|---|---|---|---|
| ET Open | Proofpoint Emerging Threats | 🔴 Essential | Comprehensive free ruleset — 40,000+ rules covering exploits, malware, scanning, C2 |
| Abuse.ch SSL Blacklist | Abuse.ch | 🔴 Essential | Blocks connections to malicious SSL certificates used by malware |
| Feodo Tracker Botnet | Abuse.ch | 🔴 Essential | Blocks botnet C2 IP communication |
| OSIF | OPNsense | 🟡 Recommended | OPNsense internal feed |
| PT Research | Positive Technologies | 🟡 Recommended | Additional threat intelligence |
To enable each ruleset:
- Find it in the list
- Toggle the Enabled switch
- Click Download & Update Rules at the top of the page
✓ ET Open is the most important ruleset. It is maintained by Proofpoint, updated daily, and covers the vast majority of common attack patterns you will encounter.
Step 3 — Configure Policies
Policies control what Suricata does when a rule matches — alert only, or drop the packet.
Navigate to Services → Intrusion Detection → Policy
Recommended policy setup:
Add the following policies in order:
Policy 1 — Drop high-severity ET threats
| Field | Value |
|---|---|
| Description | Drop ET High Severity |
| Priority | 1 |
| Rulesets | ET Open |
| Action | Drop |
| Severity | ≥ High |
Policy 2 — Alert on medium-severity (tuning period)
| Field | Value |
|---|---|
| Description | Alert ET Medium |
| Priority | 2 |
| Rulesets | ET Open |
| Action | Alert |
| Severity | Medium |
Policy 3 — Drop all Feodo/Abuse.ch matches
| Field | Value |
|---|---|
| Description | Drop Botnet C2 and SSL Blacklist |
| Priority | 1 |
| Rulesets | Feodo Tracker, Abuse.ch SSL |
| Action | Drop |
| Severity | Any |
✓ Start with medium-severity rules in alert mode for the first 1–2 weeks. Review alerts in the log for false positives before switching to drop. High-severity rules and the abuse.ch lists are safe to drop immediately.
Step 4 — Apply and Verify
- Click Apply on the Administration tab
- Navigate to Services → Intrusion Detection → Alerts
- Wait a few minutes — alerts should begin populating
- Check Services → Intrusion Detection → Stats to confirm traffic is being processed
Tuning & False Positives
After running in alert mode for a week, review the Alerts tab. Common false positives from home lab environments include:
- Nextcloud sync traffic — may trigger file transfer rules
- Torrents/P2P — will trigger multiple ET rules by design
- Internal port scanning tools — Nmap from internal hosts triggers scan rules
To suppress a false positive rule without disabling it entirely:
- Note the rule SID from the alert
- Go to Services → Intrusion Detection → Rules
- Search for the SID
- Change the rule action to Alert (instead of Drop) for that specific rule
Alternatively, add a suppression in Services → Intrusion Detection → Suppressions:
- Enter the SID
- Set the direction (source or destination)
- Enter the IP to suppress for that rule
Monitoring
Alert Dashboard
Services → Intrusion Detection → Alerts — real-time view of matched rules.
Useful filters:
- Filter by
severity: highto see the most critical events - Filter by
action: dropto see what is being actively blocked - Filter by source IP to investigate a specific host
Graylog Integration
Forward Suricata alerts to Graylog for centralized analysis:
- Suricata logs to
/var/log/suricata/eve.jsonin EVE JSON format - In Graylog, add a Beats input or Syslog UDP input
- In OPNsense System → Settings → Logging → Remote, add Graylog as syslog target
- Create a Graylog stream filtering on
application_name: suricata
Key Files & Paths
| Path | Purpose |
|---|---|
/var/log/suricata/eve.json |
EVE JSON alert log — used by Graylog |
/var/log/suricata/stats.log |
Performance statistics |
/usr/local/etc/suricata/suricata.yaml |
Main config (managed by OPNsense UI) |
/usr/local/share/suricata/rules/ |
Downloaded rulesets |
Related Documentation
- OPNsense Firewall — parent firewall documentation
- CrowdSec — complementary IP reputation layer
- Additional Blocklists — Feodo, Abuse.ch, ET IP blocklists at firewall level
- Graylog — centralized log target for Suricata alerts