Skip to content
Client Panel

Suricata RuleSets on OPNsense — Practical Guide

Suricata RuleSets on OPNsense — Practical Guide

Section titled “Suricata RuleSets on OPNsense — Practical Guide”

In modern network security, Suricata IDS/IPS is one of the most important protection layers on OPNsense. However, the Intrusion Detection UI (redesigned in OPNsense 25.x and carried forward into 26.x) presents a long list of RuleSets under the Download tab that can overwhelm new users.

  • What should you enable?
  • Which RuleSets are safe?
  • Which ones cause false positives?

This guide explains how to choose Suricata rules safely, effectively, and without breaking your network.


OPNsense organizes Suricata rules into multiple sources:

SourceDescription
abuse.ch feedsThreat intelligence feeds — Feodo Tracker (botnet C2), URLHaus (malware URLs), SSL Blacklist (malicious certs)
ET OpenEmerging Threats open-source ruleset with ~20 rule categories
ET Pro TelemetryEnhanced detection rules (free tier from Proofpoint)
ET Pro (commercial)Full detection ruleset — requires paid oinkcode from Proofpoint
OPNsense App-detectOPNsense-maintained web application detection rules

Each RuleSet contains hundreds or thousands of signatures. Enabling all of them will cause:

  • ❌ Many false positives
  • ❌ Internal systems being blocked
  • ❌ High CPU usage
  • ❌ A flood of logs

The goal is not to enable everything — only the most useful and safe RuleSets.


Here is the best combination for most environments, especially business networks.

These rule feeds provide extremely clean and reliable threat intelligence.

RuleSetBlocksFalse Positives
abuse.ch/Feodo TrackerBotnet C2 servers (Feodo/Dridex/Emotet)Extremely rare
abuse.ch/URLHausMalware distribution URLsExtremely rare
abuse.ch/SSL BlacklistMalicious SSL certificates (SHA1 fingerprints)Extremely rare

Threats blocked: Botnets, C2 servers, malware distribution, malicious SSL endpoints.


ET Open is a single RuleSet (ET open) with multiple rule categories. Do not enable every category — many are noisy. Only enable the high-value, low-noise groups:

EnableCategoryPurpose
botccBotnet command & control
compromisedCompromised host indicators
dshieldDShield blocklist correlation
malwareMalware detection signatures
trojanTrojan-specific detections

These provide solid protections without internal interference.

OPNsense ships its own App Detection Rules — a ruleset maintained by the OPNsense project focused on blocking web application threats. Since ~80% of traffic is web applications, these are worth enabling:

RuleSetPurpose
OPNsense-App-detect/testWeb application & URL-based threat detection

Low false positive rate. Community-contributed at github.com/opnsense/rules.


If your system shows ET pro telemetry in the download list:

  • Enable it. It provides improved detection with lower false positives.
  • This is the free tier from Proofpoint — no license required.

If you have a Proofpoint ET Pro oinkcode:

  1. Install the plugin: System → Firmware → Pluginsos-intrusion-detection-content-et-pro
  2. Go to Services → Intrusion Detection → Administration → Settings
  3. Enter your oinkcode in the etpro.oinkcode field
  4. Download rules from the Download tab

ET Pro provides full coverage rulesets suitable for regulated environments (PCI DSS, HIPAA).


3. Minimalist “Zero-False-Positive” RuleSet

Section titled “3. Minimalist “Zero-False-Positive” RuleSet”

If your priority is stability and low risk, enable only three abuse.ch feeds:

  • abuse.ch/Feodo Tracker
  • abuse.ch/URLHaus
  • abuse.ch/SSL Blacklist

Optionally add ThreatFox and SSL Fingerprint Blacklist if your OPNsense version lists them. This set alone blocks most modern threats with almost zero impact to your services.


These ET Open categories commonly cause false positives and internal service disruption:

AvoidCategoryWhy
policyFlags routine administrative traffic
infoInformational only — high noise, no actionable alerts
netbiosTriggers on normal Windows networking
p2pFlags legitimate peer-to-peer and CDN traffic
chatAlerts on Teams, Slack, Discord traffic
activexObsolete technology, triggers on legitimate web apps
adwareHigh false positive rate on legitimate ad networks
browserAlerts on normal web browsing patterns
smbBreaks SMB/CIFS file sharing (NAS, Windows shares)
miscMiscellaneous catch-all with unpredictable behavior

They trigger alerts for many legitimate internal applications: NAS, SMB, Teams, ERP systems.


Since OPNsense 21.1, Policies are the preferred way to control which rules fire and what action they take — replacing the old per-ruleset filter dropdown. Policies let you:

  • Bulk-change rule actions across multiple RuleSets (alert → drop, or disable entirely)
  • Target specific metadata: affected product (Android, Windows), deployment type (datacenter, perimeter), attack target
  • Set priorities: lower number = higher priority. First matching policy wins

Example: Drop traffic from malware rules only

Section titled “Example: Drop traffic from malware rules only”
  1. Go to Services → Intrusion Detection → Policy
  2. Click + to add a new policy
  3. Set Description: Drop malware traffic
  4. Under Rulesets, select ET open and abuse.ch/*
  5. Under Rules, filter by malware / trojan metadata
  6. Set New Action to drop
  7. Set Priority to 1

This is safer than blanket-enabling IPS on the Administration page because you can apply drop only to high-confidence malware rules while keeping noisy rules at alert level.


InterfaceModeRationale
WANIPS ModeBlock external threats before they enter
LANIDS ModeDetect only — avoid breaking internal traffic
ToolRole
SuricataThreat detection + IPS (signature-based)
ZenarmorLayer-7 filtering + application control

This combination provides complete coverage: Suricata catches known threats via signatures, Zenarmor handles application-level control and visibility.


7. Step-by-Step: Configure Suricata on OPNsense

Section titled “7. Step-by-Step: Configure Suricata on OPNsense”
  1. Go to Services → Intrusion Detection → Administration
  2. Check Enabled
  3. Set IPS mode:
    • IDS only: Select PCAP live mode (alerts only)
    • Netmap IPS: Select Netmap for hardware-accelerated blocking
    • Divert IPS: Select Divert to redirect via firewall rules (use with Firewall → Rules)
  4. Set Pattern matcher: Use Hyperscan if your CPU supports it (best performance), otherwise Aho-Corasick Ken Steele variant
  5. Select interfaces under Interfaces
  6. Disable hardware offloading on selected interfaces: go to Interfaces → Settings and uncheck all offloading options (VLAN Hardware Filtering, TSO, LRO)
  1. Go to the Download tab
  2. Check the recommended RuleSets from section 2
  3. Click Download & Update Rules
  4. Wait for the rules to finish downloading
  1. Go to the Rules tab
  2. Select each enabled RuleSet and assign it to your WAN/LAN interfaces
  3. Click Apply
  4. Check Alerts tab to monitor activity
  1. Go to Services → Intrusion Detection → Administration → Schedule
  2. Set a cron schedule (recommended: daily, e.g., 0 3 * * * for 3 AM)
  3. This keeps your rule definitions current against new threats

After enabling Suricata, review the Alerts tab daily for the first week. Look for:

  • Repeated alerts from internal IPs → likely false positives
  • Alerts from known internal applications (NAS, Active Directory, printers)
  1. Go to Services → Intrusion Detection → Administration → Alerts
  2. Find the alert you want to suppress
  3. Click the + button to add a suppression rule
  4. Choose to suppress by SID, source IP, or destination IP
  • CPU: Each additional RuleSet increases CPU load. On low-power hardware (Atom, Celeron), stick to the minimalist set.
  • RAM: Suricata with all abuse.ch + 5 ET categories uses ~200-400 MB for a typical home/small business.
  • Throughput: IPS mode adds latency. Test throughput before and after enabling IPS on WAN.

9. Conclusion: More Rules ≠ More Security

Section titled “9. Conclusion: More Rules ≠ More Security”

Suricata becomes effective not by enabling everything, but by enabling the right things.

  • 💡 Enable abuse.ch feeds: Feodo Tracker, URLHaus, SSL Blacklist (plus ThreatFox/SSL Fingerprint if available)
  • 💡 Enable the five essential ET Open categories + OPNsense App-detect
  • 💡 If available, enable ET Pro Telemetry (free) or ET Pro (paid oinkcode)
  • 💡 WAN = IPS, LAN = IDS
  • 💡 Avoid noisy categories (policy, info, netbios, smb, etc.)
  • 💡 Use Policies for fine-grained control over alert vs drop actions
  • 💡 Combine with Zenarmor for Layer-7 control

This gives you strong protection with minimal risk and minimal maintenance effort.