Webinar - OPNsense and Suricata, a great combination!

Introduction

This tutorial provides a comprehensive guide on setting up OPNsense with Suricata. OPNsense is a powerful open-source firewall and routing platform based on HardenedBSD, while Suricata serves as an inline Intrusion Prevention System (IPS) that enhances network security through deep packet inspection. By following this guide, you'll learn how to configure both systems to maximize visibility and security in your network environment.

Step 1: Setting Up OPNsense

1. Download and Install OPNsense

   • Visit the OPNsense website to download the latest version.
   • Create a bootable USB drive using tools like Rufus or Etcher.
   • Boot your system from the USB drive and follow the installation prompts to install OPNsense.

2. Initial Configuration

   • After installation, access the OPNsense web interface by visiting https://<OPNsense_IP>.
   • Log in using the default credentials (username: root, password: opnsense).
   • Complete the initial setup wizard, configuring your WAN and LAN interfaces.

3. Update OPNsense

   • Go to System > Firmware > Status.
   • Click on "Check for Updates" and apply any available updates to ensure you're running the latest version.

Step 2: Installing Suricata

1. Access the Package Manager

   • Navigate to System > Firmware > Plugins.
   • Search for the Suricata plugin (os-suricata) and click "Install."

2. Configure Suricata

   • Once installed, go to Services > Suricata.
   • Enable Suricata and select the interfaces where you want to deploy it (generally your WAN interface).
   • Under the "General Settings," configure the following:
     • Set "Run in IPS Mode" to enable inline protection.
     • Choose the "Interface" for monitoring traffic.

3. Select Rulesets

   • Go to the "Global Settings" section.
   • Enable the Emerging Threats (ET) Pro Telemetry ruleset for improved detection capabilities.
   • Update the rules by navigating to the "Downloads" section and selecting the desired rulesets.

Step 3: Understanding IDS vs IPS

• IDS (Intrusion Detection System): Monitors traffic and alerts on suspicious activity without blocking it.
• IPS (Intrusion Prevention System): Actively monitors and blocks identified threats in real-time.

Step 4: Testing Your Configuration

1. Verify Suricata is Running

   • Check the Suricata status in the Services menu to ensure it is active.

2. Simulate Traffic and Threats

   • Use tools like hping3 or nmap to simulate attacks and verify that Suricata detects and blocks them.

3. Review Logs and Alerts

   • Navigate to the "Alerts" section in the Suricata menu to review any detected threats and their responses.
   • Adjust rules and settings based on the alerts you receive to fine-tune your system.

Conclusion

By following this tutorial, you have successfully set up OPNsense and integrated Suricata as your inline IPS. This combination greatly enhances your network's security posture by providing robust monitoring and threat mitigation capabilities. For ongoing maintenance, regularly update both OPNsense and Suricata, review alerts, and adjust configurations as needed to adapt to evolving threats. Consider exploring additional features and community resources to maximize the potential of your setup.