Need help using Suricata

I have installed the Suricata addon in my IPFire, but there is just checkbox to enable and disable it. It doesn’t seem to give any granular control over the connections.

Suricata on PF Sense provides logs and more options to block connections, where is such an option in IPFire?

Am I missing something?

Once enabled and once a Ruleset is set and Saved (I picked Community Rules) you should see a Rulesets list with control over connections.

This may help: IPFire Wiki - Intrusion Prevention System (IPS)


EDIT: See menu Logs > IPS Logs for the IPS Logs:

Followed your example but IPS log viewer shows 0 in Total of number of activated rules (I selected 2 rules in the ruleset list and hit Apply)

I have five (5) rules picks on the IPS page (menu Firewall > Intrusion Prevention).

But I see Total of number of activated rules for April 07: 25 in the IPS Logs. I went from 3 in my post above to 25 within a few minutes.

It seems to me (and I am not the expert) that Total of number of activated rules for April 07: is the count of issues or events found by IPS.

thanks, I’ll wait and see if it changes by end of day.

1 Like

FYI - all of my IPS hits are from ET DROP and ET SCAN. So for testing or getting quick hits, setting those might help.

ET DROP is part of the Ruleset dshield.rules:

and ET SCAN is part of the Ruleset emerging-scan.rules:

1 Like

I selected the emerging-scan.rules and enabled the nmap scans, then from the outside I nmap’ed my public ip and I see the IPS Log populated. Many thanks.