Disabling uncategorized internal Suricata rules in pfSense

I want to enable only particular rules categories. Do not want to have all these internal Suricate rules as they cover too broad variaty of cases including loads of false-positive. If one would like to go for deep traffic analysis then they would be fine, but in case you see “STUN Binding Request On Non-Standard High Port” and know that is your P2P camera in the LAN then it’s worth disabling all of that things at once. To disable them it is a little bit tricky on pfSense installation.

Go to Interfaces and selected desired one. Be sure to uncheck all snort or ET rules before. Then go to WAN Rules and select Active Rules in category dropdown box. Click Disable All. Now you are running without all default rules and can enable only those which you are interested most to have. For example you can try with the following:

  • attach_response
  • botcc
  • 3coresec
  • ciarmy
  • compromised
  • deleted
  • dos
  • exploit / exploit_kit
  • hunting
  • malware
  • phishing
  • scan
  • shellcode
  • sql
  • threatview_CS_c2
  • tor
  • user_agent
  • web_client
  • web_server
  • web_specific_apps
  • worm