Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (2022)

By Austin O'Neil|Published On: May 8th, 2020|

There are a few blogs out there on the internet that walk you through setting up a pfSense Splunk forwarder, and a few more that talk about getting your Suricata IDS logs into your Splunk, but there is not an all-in-one guide to help you do both. Today we hope to solve that problem and give you an all-in-one guide on how to do this.

For those who don’t know whatpfSenseis, it’s an open source router software based on FreeBSD that can be run on anything from an old desktop tower to a brand new 1U server or virtual machine. The project originally started in 2004 as a fork of a project called “m0n0wall,” and it has been growing in popularity as one of the favorite home and business router operating systems. If you aren’t familiar with the project and would like to give it a try, I recommend heading topfSense’s websiteto download the current version and install it in a dev environment.

Suricatais an open source IDS project to help detect and stop network attacks based off of predefined rules or rules that you wrote yourself! Luckily, there is a pfSense package available for you to download and easily configure to stop malicious traffic from accessing your network.

Note:The following steps were written around the latest pfSense 2.4.5-release; future updates may cause this guide to be out-of-date.

Step 1: pfSense SSH Setup

The first thing you’ll need to do is log into your pfSense web GUI and go toSystem > Advancedto enable secure shell access to your router if you have not done so. This will be needed for future steps.

Best practice here would be to set up access with a public key and password but for sake of demonstration, we’re simply going to enable password authentication at this time.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (1)

Once you have enabled SSH in the web GUI, verify that you can ssh to the router by using PuTTY, PowerShell, or your favorite terminal environment.“ssh root@ip-of-router”. The password would be the same password you use to authenticate to the web GUI.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (2)

Step 2: pfSense Suricata Install

To install Suricata, it’s as simple as clicking a few buttons. We will need to go toSystem > Package Manager > Available Packages. Scroll down until you find “Suricata” and then click install. We will come back to configuring Suricata later in the tutorial.

Step 3: Splunk Setup

Splunk Index Setup

Before we get any further, we need to configure Splunk to receive our data.

To make things simple, we are going to create two indexes. One for pfSense called “network,” and another for Suricata called “ids.” I recommend you create and keep a table of indexes handy so you know where to look for your data within Splunk. This will solve future headaches when you’re looking for certain events.

1.) To create an index, log into Splunk and then clickSettings > Indexes.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (3)

(Video) Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020

2.)Once on the “Indexes” page, we will want to click “New Index” in the top right corner of the page. You will then be presented with options for creating a new index.

3.)For the first index, we will name it “network.” You can leave the rest of the settings alone unless you want to set up index retention which can be learned abouthere.

4.)Once finished, go ahead and save the index.

Repeat this process for the other index needed called “ids”.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (4)

Splunk Apps Installation

Next, we need to download a few of the Splunk apps fromsplunkbase.splunk.com

The following links will take you to the apps we will be using in this tutorial:

  • Splunk Common Information Model (CIM)– “The CIM helps you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors.” This will allow us to build alerts and reports easily after everything is set up.
  • TA-pfSense– This allows Splunk to extract fields from pfSense logs.
  • Splunk TA for Suricata– This allows Splunk to extract fields from Suricata logs.

Go ahead and download those apps. You’ll need to install them onto your Splunk server and on your pfSense Splunk forwarder, which we’ll set up later in the tutorial.

To install the apps on your Splunk server, clickApps > Manage Appsin the top left corner.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (5)

We will then want to click “Install app from file” and choose one of the apps you recently downloaded. Once chosen, click “Upload” and repeat until all three apps are uploaded.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (6)

We won’t need to configure any of the installed apps. Once all of the apps are uploaded, we can continue to the next step.

Splunk Data Inputs

Now that we have the apps installed, we need to configure UDP receiving ports.This can be achieved by going toSettings > Data Inputs. Click “+ Add New” next to UDP. We need to configure a UDP port to receive pfSense logs from the GUI.

We will be taken to the add data page within Splunk. Let’s go ahead and add in a port to receive our logs. I am going to use port 5147.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (7)

In the source type drop down, type “pfsense”. We need to select pfsense without the “:” as seen in the image below.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (8)

The next setting we need to change is the host field. Select “Custom” and type in the host name of your pfSense router. Once that’s complete, select the index drop down and select the “network” index we created earlier.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (9)

Continue to the next page by clicking “Review,” verify your new data input settings, and click “Submit.”

Once that is complete, we need to set up our receiving port for our forwarder. Go to Settings > Forwarding and Receiving. Click “Add New” next to “Configure receiving.” In the “Listen on this port” field, enter “9997.” Once that is done, hit “Save” and then we can go back to the Splunk homepage by clicking on “Splunk>” in the top left corner.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (10)

Step 4: pfSense Remote Logging Setup

We need to set up pfSense to log to the new index and data input we just set up. To do so, in pfSense’s web GUI go to the NAVbar and selectStatus > System Logs. Once there, we need to go to the settings tab and scroll down to the bottom of the page.

(Video) Suricata Network IDS/IPS System Installation, Setup and How To Tune The Rules & Alerts on pfSense

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (11)

Go ahead and check the “Enable Remote Logging” box. Enter the IP address of your Splunk server followed by the port number we set up in the Data Inputs section. The last thing we need to do is check the “Everything” box under Remote Syslog Contents. Save the page.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (12)

At this point, we should be able to go back to our Splunk instance and run the following search.

Copy to Clipboard

You should now see pfSense events returning from your Splunk search with all fields from the TA extracted! If you don’t see all fields being extracted, be sure to run the search in “Verbose Mode.”

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (13)

Step 5: Configuring pfSense Suricata

Okay, we have pfSense logs inside Splunk. Now we need to get our IDS setup and then get the logs shipped to Splunk. Let’s get started! Since we installed Suricata in a past step, we just need to configure it.

Let’s go toServices > Suricatainside of pfSense. We first need to go to the Global Settings tab and enable rules to download. Since free is good enough for my environment, I enabled ETOpen Emerging Threats and I set up a Snort account to download the free community Snort rules.You can sign up for an account here.

You can change the update interval to automatically download the new rules added to ETOpen and Snort Community rule base.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (14)

Next, we want to go to the “Updates” tab and hit “Force” to force download all the rules we selected on the previous page.

Once that is done, we can return to the Interfaces tab and click the “+ Add” button to set up the WAN interface. There will be a few screenshots below–these are what I determined to give the best logging output. We need Suricata to log in EVE JSON mode.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (15)

We now have to determine if we want to block offenders or not. You have the option to pick between legacy mode or inline mode. I recommend checking out this blog post onNetgate’s forumsto determine what would be the best option in your use case scenario. I selected Legacy for my use case. Go ahead and hit save.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (16)

Next let’s go to the Categories tab and select the rule sets you want to enable.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (17)

Finally, let’s go back to the interfaces tab and hit the green arrow next to WAN. This should enable Suricata.

(Video) Network Security Monitoring With Suricata

Step 6: pfSense Splunk Forwarder and Shipping of Suricata logs

We’re in the home stretch!

In order to ship the Suricata logs to our Splunk server, we need to install a Splunk forwarder. Since pfSense is FreeBSD, we need theSplunk Universal FreeBSD forwarder found here.Once that is downloaded, I found the easiest way to get it on pfSense is to unzip the .txz file and then SCP the folder to pfsense.

If you’re on Mac or Linux, to extract the .txz file, run the following command:

Copy to Clipboard

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (18)

We will be left with a few files in the directory that we unzipped the folder into. Next, we will want to scp (copy the files over SSH) the folder to our pfSense router using the following command:

Copy to Clipboard

While we’re at it, let’s unzip the Suricata TA that we downloaded earlier and scp the folder to the router as well with the following commands:

Copy to Clipboard

Copy to Clipboard

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (19)

Having done that, we can SSH back into the router and hit option “8” for Shell. When we choose option 8, it should put us into the /root/ directory. From here, we can run an “ls” command to verify that the scp commands were successful. You should see an “opt” and “TA-Suricata” folder in /root/.

1.) Let’s go ahead and move the opt folder to the / directory by issuing the command:

Copy to Clipboard

2.) Next we need to move the TA-Suricata folder to the apps folder using the following command:

Copy to Clipboard

3.) Now that we have the opt directory moved and the Suricata TA in the apps folder, let’s go to the Splunk forwarder folder and configure our outputs.

Copy to Clipboard

4.) The outputs.conf file tells the Splunk forwarder where to send the data to.

If there isn’t a outputs.conf file in the folder, let’s create one with the following content.

Side note:pfSense’s only text editor is Vi. Yes, I know. I’m sorry… This won’t be the time or place to discuss text editors, but If you need help in Vi, there are countless guides online.

5.) Next, let’s configure the Suricata TA to monitor our Suricata Eve JSON log we set up earlier.

6.) We need to change directories to our TA-Suricata folder.

Copy to Clipboard

7.) Note what folder name Suricata is logging to. We can do so by ls-ing the log folder for Suricata.

Copy to Clipboard

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (20)

Keep note of the folder names! In my case, I have two Suricata folders inside of my Suricata log folder as I am using suricata on two interfaces. In your case, you may only have one.

(Video) Home-Lab Part1 (PFsense + Suricata Firewall and IPS evasion)

8.) We will now need to make/edit our inputs.conf file inside of /opt/splunkforwarder/etc/apps/TA-Suricata/default.

9.) Open Vi and make the following edit:

Copy to Clipboard

10.)Finally, we just need to start the Splunk Forwarder. Let’s change directories to the Splunk bin folder:

Copy to Clipboard

11.)To set Splunk to start on bootup of pfSense, run:

Copy to Clipboard

12.)To start Splunk run:

Copy to Clipboard

Let’s check out our new logs in Splunk!

Copy to Clipboard

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk (21)

Great! As you can see, we are now receiving extracted Suricata logs being returned from our search. Since we installed the CIM app, we can do stuff like tag=dns and receive back DNS logs and so forth. Again, if you don’t see all interesting fields on the left, be sure to run your search in “Verbose” mode.

Wrapping It Up

Pat yourself on the back and grab yourself a reward (I prefer pizza); you did it!

Where do you go from here? Well, now that you have these logs and the data is normalized, you can start building out alerts, reports, and beautiful dashboards around your newly imported data. This is just the beginning my friend.

I sure hope this guide has been helpful. If you still need a hand, I recommend checking out these resources:

Related Posts

  • Exploring the Directory Naming Change in Splunk Enterprise 9.0 Indexer Clustering

    July 27th, 2022

  • Optimizing Your Splunk Cloud Scheduler for Enterprise Security

    July 20th, 2022

  • First Look: Splunk 9.0 Configuration Change Logging

    June 15th, 2022

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visitwww.hurricanelabs.comand follow us on Twitter@hurricanelabs.

FAQs

Is Suricata better than snort? ›

One of the main benefits of Suricata is that it was developed much more recently than Snort. This means it has many more features on board that are virtually unmissable these days. One of those features is support for multithreading.

What is pfSense used for? ›

pfSense® software is primarily used as a router and firewall software and is frequently set up as a DHCP server, DNS server, WiFi access point, and VPN server, all on the same physical device.

How do I download Suricata on pfSense? ›

Step 2: pfSense Suricata Install

To install Suricata, it's as simple as clicking a few buttons. We will need to go to System > Package Manager > Available Packages. Scroll down until you find “Suricata” and then click install.

Does Suricata have a GUI? ›

Single Interface

Manage multiple Suricata clusters with 10's of hosts from a single, easy-to-use GUI.

Is Suricata host based or network based? ›

Protect. Adapt. Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets.

What type of firewall is pfSense? ›

pfSense software is a stateful firewall, which means it remembers information about connections flowing through the firewall so that it can automatically allow reply traffic.

Is pfSense best firewall? ›

pfSense is #2 ranked solution in best firewalls. PeerSpot users give pfSense an average rating of 8.6 out of 10. pfSense is most commonly compared to OPNsense: pfSense vs OPNsense. pfSense is popular among the large enterprise segment, accounting for 51% of users researching this solution on PeerSpot.

Is pfSense a hardware or software? ›

pfSense is a firewall/router computer software distribution based on FreeBSD. The open source pfSense Community Edition (CE) and pfSense Plus is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network.

Is pfSense still free? ›

pfSense® software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface.

How much RAM do I need for pfSense? ›

1 GB should be considered a minimum but some configurations may need 2 GB or more, not counting RAM used by the operating system, firewall states, and other packages.

How do I set up and install Suricata? ›

How to Install And Setup Suricata IDS on Ubuntu 20.04
  1. Step 1 – Create Atlantic.Net Cloud Server. First, log in to your Atlantic.Net Cloud Server. ...
  2. Step 2 – Install Required Dependencies. ...
  3. Step 3 – Install Suricata. ...
  4. Step 4 – Configure Suricata. ...
  5. Step 5 – Test Suricata Against DDoS.
28 Sept 2020

How much does Suricata cost? ›

Software Pricing Details

You are charged $625.00 once a month regardless of how many instances you launch after subscribing.

Is Suricata an IPS or IDS? ›

Suricata is an open-source based intrusion detection system (IDS) and intrusion prevention system (IPS). It was developed by the Open Information Security Foundation (OISF). A beta version was released in December 2009, with the first standard release following in July 2010.

Is Suricata a SIEM? ›

Use case for Suricata

Using the data produced by the tool for network traffic baselining. Suricata is a great tool to have in your intrusion detection arsenal. I've used it many times as a lightweight IDS to enrich the detections coming from my SIEM platform.

Does Suricata block traffic? ›

Suricata runs in IDS mode by default, which means it will not actively block network traffic.

How many Suricata rules are there? ›

Suricata's built-in rules are in the range from 2200000-2299999. Other sid ranges are documented on the Emerging Threats SID Allocation page.

What companies use Suricata? ›

Who uses Suricata?
CompanyWebsiteCountry
Scottrade, Inc.scottrade.comUnited States
VMware Incvmware.comUnited States

Is pfSense good enough? ›

Pfsense is a trustworthy firewall and router software that's trusted by many all over the internet, all while ensuring the most features with as few drawbacks as possible.

What port is pfSense? ›

PfSense uses port 443 by default for the web GUI remote access. Unfortunately this is a common port and sometimes it will conflict with something else on your network.

What is the pfSense IP address? ›

The default pfSense® LAN IP address is 192.168. 1.1.

Is there anything better than pfSense? ›

The best alternative is OPNsense, which is both free and Open Source. Other great apps like pfSense are MikroTik RouterOS, NethServer, Sophos UTM and IPFire.

Has pfSense ever been hacked? ›

My PFSense box got TOTALLY HACKED. Didn't believe it was possible, as it had snort, and many other security measures discussed in Lawrence. And I mean totally hacked, which led to escalation hack on computer, and now totally worhtless (an Apple Macmini.)

Can I use pfSense as a VPN? ›

pfSense® software offers several VPN options: IPsec, OpenVPN, WireGuard and L2TP. This section provides an overview of VPN usage, the pros and cons of each type of VPN, and how to decide which is the best fit for a particular environment.

What programming language does pfSense use? ›

pfSense is available under the BSD License. Official support is provided by BSD Perimeter.
...
Informations.
Ohloh users rating4.80 (10 votes)
Programming LanguagesPHP, XML, HTML, 8 Other
5 more rows

Is pfSense easy? ›

pfSense is typically configured and operated though a user-friendly web interface, making administration easy even for users with limited networking knowledge. Generally, one never needs to use terminal or edit config files to configure the router.

Does pfSense cost money? ›

pfSense Pricing Overview

pfSense has 8 pricing edition(s), from $179 to $2,649. Look at different pricing editions below and read more information about the product here to see which one is right for you.

Is Suricata based on Snort? ›

Although Suricata's architecture is different than Snort, it behaves the same way as Snort and can use the same signatures. What's great about Suricata is what else it's capable of over Snort. It does so much more, it probably deserves a dedicated post of its own.

How good is Suricata? ›

Good opensource network-base IDS, easy to set up.

Suricata is one good opensource network-base IDS. when using with other opensource ruleset, it can detect network threats pretty well.

Do companies use Snort? ›

We have data on 7,418 companies that use snort. The companies using snort are most often found in United States and in the Information Technology and Services industry. snort is most often used by companies with 50-200 employees and 1M-10M dollars in revenue.

Is Suricata multithreaded? ›

Suricata is multi-threaded, so multiple threads are active at once. A thread-module is a part of a functionality. One module is for example for decoding a packet, another is the detect-module and another one the output-module. A packet can be processed by more than one thread.

Is Suricata an IPS or IDS? ›

Suricata is an open-source based intrusion detection system (IDS) and intrusion prevention system (IPS). It was developed by the Open Information Security Foundation (OISF). A beta version was released in December 2009, with the first standard release following in July 2010.

How much does Suricata cost? ›

Software Pricing Details

You are charged $625.00 once a month regardless of how many instances you launch after subscribing.

What are the three modes of Snort? ›

Snort is typically run in one of the following three modes: 1. Packet sniffer: Snort reads IP packets and displays them on the console. 2.
...
Using Snort for intrusion detection.
FlagFunction
-DRun Snort as a daemon.
-eShow data-link layer headers.
-lRun in packet logger mode.
-hLog information relative to the home network.
6 more rows
22 Aug 2001

What is Suricata and how it works? ›

Suricata is an open-source detection engine that can act as an intrusion detection system (IDS) and an intrusion prevention system (IPS). It was developed by the Open Information Security Foundation (OSIF) and is a free tool used by enterprises, small and large.

Is Suricata a good IDS? ›

Good opensource network-base IDS, easy to set up.

Suricata is one good opensource network-base IDS. when using with other opensource ruleset, it can detect network threats pretty well.

What is Suricata tool? ›

Suricata is a powerful, versatile, and open-source threat detection engine that provides functionalities for intrusion detection (IDS), intrusion prevention (IPS), and network security monitoring. It performs deep packet inspection along with pattern matching a blend that is incredibly powerful in threat detection.

Is Snort a SIEM? ›

Snort collects data and analyses it, and is a core component to more complete SIEM solutions. Snort is also part of any number of application stacks which add log retention and advanced visualization capabilities.

Is there a GUI for Snort? ›

Snowl is a modern web-based GUI (graphical user interface) for snort. Snort is an open source IDS/IPS (intrusion detection/prevention system).

Is Snort a firewall? ›

When Snort detects suspicious behavior, it acts as a firewall and sends a real-time alert to Syslog, to a separate alerts file or through a pop-up window.

Does Suricata block traffic? ›

Suricata runs in IDS mode by default, which means it will not actively block network traffic.

Who uses Suricata? ›

Suricata is most often used by companies with >10000 employees and >1000M dollars in revenue. Our data for Suricata usage goes back as far as 3 years.
...
Who uses Suricata?
CompanyScottrade, Inc.
CompanyVMware Inc
Websitevmware.com
CountryUnited States
Revenue>1000M
7 more rows

Is Suricata in security Onion? ›

Community ID. Security Onion enables Suricata's built-in support for Community ID.

Videos

1. How To Setup A Transparent Bridge & Firewall With pfsense and Suricata
(Lawrence Systems)
2. your home router SUCKS!! (use pfSense instead)
(NetworkChuck)
3. pfsense With Suricata Intrusion Detection System: How & When it works and What It Misses
(Lawrence Systems)
4. Attack and Detect: VulnDC:2 vs Splunk & Security Onion
(I.T Security Labs)
5. Open-Source Security: Analyzing Network Traffic with Suricata
(Pluralsight)
6. Suricata IDS/IPS Installation on Opnsense - Virtual Lab Building Series: Ep3
(LS111 Cyber Security Education)

Top Articles

Latest Posts

Article information

Author: Jeremiah Abshire

Last Updated: 08/13/2022

Views: 5996

Rating: 4.3 / 5 (74 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Jeremiah Abshire

Birthday: 1993-09-14

Address: Apt. 425 92748 Jannie Centers, Port Nikitaville, VT 82110

Phone: +8096210939894

Job: Lead Healthcare Manager

Hobby: Watching movies, Watching movies, Knapping, LARPing, Coffee roasting, Lacemaking, Gaming

Introduction: My name is Jeremiah Abshire, I am a outstanding, kind, clever, hilarious, curious, hilarious, outstanding person who loves writing and wants to share my knowledge and understanding with you.