18.17. Suricata

You can find the Suricata Settings at Services → Suricata.

The Suricata is an open source-based intrusion detection system (IDS) and intrusion prevention system (IPS).

Before you can use the Suricata it has to be installed. You can install it at System → Addons.

18.17.1. General Settings

On this page Suricata can be enabled or disabled.

The Mode can be IDS (Intrusion Detection System), IPS (Intrusion Prevention System) or IDS & IPS.

One or more Interfaces can be selected where traffic should be analyzed by Suricata.

The option Advanced allows the usage of Custom Options.

Multiple Home Networks can be added with their ip address and port. By default the networks 192.168.0.0/16, 10.0.0.0/8 and 172.16.0.0/12 are created. Home Networks are often used in the default rules to identify internal and external traffic and to apply different rules.

18.17.2. Update

Here you can configure which rules should be installed. You can choose from ETOpen Emerging Threats rules, ETPro Emerging Threats rules and Snort GPLv2 Community rules.

Update Interval creates a cronjob which will update the rules according to the selected time interval.

Be aware that the more rules you select the slower Suricata gets. It might be advisable to only use rules and categories that you need.

18.17.3. Rules

Here you can see all installed and used rule files which ususally correspond to a single category. Each rule file can be disabled and enabled on the actions column on the right side.

Multiple SIDs can be added to disable specific rules by their Signature ID.

At the bottom you can add Custom Rules.

18.17.4. Logs

The logs page shows log information of rules which got triggered. The first column shows the type which can be Alert or Drop. In the actions column you can also disable the rule via its SID.