Suricata and pfsense integration

[Jackson-Pollock]

Hi Team,

Suricata in Security Onion does not support IPS mode and we thought of applying firewall rules (To achieve IPS) using pfsense firewall for testing purpose. pfsense has an API and we can build python scripts to automate configuration.
The one example of use case we are trying to achieve:
If Suricata IDS created any alert for malware connection then pfsense should apply a rule to restrict LAN/WAN connection of that impacted host.

Need suggestions on this.

Thank you!

[Jackson-Pollock]

From Suricata Forum:-

There is a Suricata package available for pfSense. It supports both IPS mode (using the netmap device) as well as a custom blocking mode using the pf firewall engine along with a custom Suricata plugin. That second blocking mode is called Legacy Blocking Mode, and it works in the manner you describe: alerts detected by the custom plugin result in the offender’s IP address getting put into a pf firewall table so that it is subsequently blocked.

Here is a YouTube tutorial on setting up the package: Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020 - YouTube 2.

There is also a dedictated IDS/IPS sub-forum on the Netgate/pfSense forum: pfSense IDS/IPS Forum 1. You will find a lot of helpful information posted there, plus you can ask for help from other users experienced with the package. Note that Suricata on pfSense has that custom blocking module, so questions related to that should be posted on the linked pfSense forum and not posted here.