Link Search Menu Expand Document

Suricata installation and configuration

What is the only reason for not running Snort? If you are using Suricata instead.

This is how I installed Suricata and used it as a IDS/IPS on my pfSense firewall and logged events to my Elastic Stack.

Table of contents
  1. Getting started
    1. Prerequisites
  2. Configuration
    1. Global Settings
      1. Please Choose The Type Of Rules You Wish To Download
      2. Rules Update Settings
      3. General Settings
    2. Updates
    3. Interfaces
      1. Logging Settings
      2. EVE Output Settings
  3. 10-suricata.conf
  4. Authors
  5. Acknowledgments

Getting started

Install the Suricata package by navigating to System, Package Manager and select Available Packages.


  • pfSense 2.4.4-RELEASE-p3 (amd64)
  • suricata 4.1.6_2
  • elastic stack 5.6.8


Navigate to Suricata by clicking Services, Suricata.

Global Settings

Please Choose The Type Of Rules You Wish To Download

Install ETOpen Emerging Threats rules:

  • ETOpen is a free open source set of Suricata rules whose coverage is more limited than ETPro.

Install Snort rules:

  • Snort free Registered User or paid Subscriber rules
  • Snort Rules Filename: snortrules-snapshot-29151.tar.gz
  • Snort Oinkmaster Code: d3fb58191764f206a2a444buid8fd289sd891z6c

Install Snort GPLv2 Community rules:

  • The Snort Community Ruleset is a GPLv2 Talos-certified ruleset that is distributed free of charge without any Snort Subscriber License restrictions.
    Hide Deprecated Rules Categories:
  • Hide deprecated rules categories in the GUI and remove them from the configuration. Default is Not Checked.

Rules Update Settings

  • Update Interval: 12 HOURS
  • Update Start Time: 00:30
  • GeoLite2 DB Update:
  • Enable downloading of free GeoLite2 Country IP Database updates. Default is Not Checked
  • GeoLite2 DB License Key: dOFdszB21sz44

General Settings

  • Remove Blocked Hosts Interval: NEVER
  • Log to System Log: [x] Copy Suricata messages to the firewall system log.
  • Keep Suricata Settings After Deinstall: [v] Settings will not be removed during package deinstallation.

Click Save.


No rule sets have been updated. Click Update. After you have configured the above settings in Global Settings, it should read Results: success.


  • Emerging Threats Open Rules
  • Snort Subscriber Rules
  • Snort GPLv2 Community Rules


On the Interface Setting Overview, click + Add and all the way to the bottom, click Save.

Go back to Interfaces and click the blue icon “Start suricata on this interface”. Edit that WAN interface.

Logging Settings

Send Alerts to System Log:

  • Suricata will send Alerts from this interface to the firewall’s system log.
  • Log Facility: LOCAL1
  • Log Priority: NOTICE

Enable Tracked-Files Log:

  • Suricata will log tracked files in JavaScript Object Notation (JSON) format. Default is Not Checked.
    Append Tracked-Files Log:
  • Suricata will append-to instead of clearing Tracked Files log file when restarting. Default is Checked.

EVE Output Settings

  • EVE JSON Log:
  • Suricata will output selected info in JSON format to a single file or to syslog. Default is Not Checked.
  • EVE Output Type: SYSLOG

Let the rest be default, click Save.


root@ELK:/usr/local/etc/logstash/conf.d # nano 12-suricata.conf
filter {
  if [type] == "SuricataIDPS" {
    date {
      match => [ "timestamp", "ISO8601" ]
    ruby {
      code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"

  if [src_ip]  {
    geoip {
      source => "src_ip"
      target => "geoip"
      database => "/usr/local/etc/logstash/GeoIP/GeoLite2-City.mmdb"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    if ![geoip.ip] {
      if [dest_ip]  {
        geoip {
          source => "dest_ip"
          target => "geoip"
          database => "/usr/local/etc/logstash/GeoIP/GeoLite2-City.mmdb"
          add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
          add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        mutate {
          convert => [ "[geoip][coordinates]", "float" ]


Mr. Johnson