Hello, I want to configure Suricata on a Pfsende firewall with 5 interfaces. I have seen that by default you can load categories that generate rules automatically, but some are false positives. There is an option called custom.rule. The question is, is it better to start with these because of the defaults or create new ones for my environment?
This might be pfsense specific for the implementation so I would recommend to ask at pfsense.
The Suricata package on pfSense runs a custom binary with an additional plugin compiled in for a feature termed “Legacy Blocking Mode”. Questions about configuration of Suricata on pfSense should be posted on the pfSense (Netgate) IDS/IPS forum here: IDS/IPS | Netgate Forum.
To provide a more general answer to your question, you should choose rules for Suricata based on the vulnerabilities in your network and the anticipated threats. Run your rules first in IDS mode to get a feel for “normal traffic” and provide an opportunity to weed out false positives. As you discover false positives, you may choose to disable those particular rules. Similarly, you can disable rules that address threats that are not applicable in your network. For example, if you do not run a public web server behind your firewall, then enabling rules that detect incoming threats against web servers is just wasting CPU resources. Ditto for email or DNS server rules – if you do not run those servers on your network, then enabling those kinds of rules wastes computing resources.