OPNsense Suricata IDS/IPS: Installation and Tuning Guide
Set up Suricata as an inline IPS on OPNsense — install the plugin, enable ET Open or ET Pro rulesets, configure alert actions, and tune to reduce false positives.
Suricata is OPNsense’s built-in network IDS/IPS engine. Running it inline (IPS mode) drops malicious traffic in-band. This guide covers setup from scratch through basic tuning.
Hardware requirements
Suricata is CPU-intensive. Inline IPS on a 1 Gbps WAN needs at least:
- 4-core CPU (Intel J6412 or better)
- 4 GB RAM dedicated to OPNsense
- Multi-queue NIC drivers (most Intel i210/i225 cards)
On a Protectli FW4C (J3160), expect ~250–400 Mbps throughput with ET Open rules before CPU saturation.
Install the plugin
System → Firmware → Plugins → search os-suricata → Install.
After install: Services → Intrusion Detection → Administration.
Configure interfaces
On the Settings tab:
- Enabled: ✓
- IPS mode: ✓ (inline — drops matching traffic, not just alerts)
- Promiscuous mode: leave unchecked unless you need it
- Interfaces: select your WAN interface (and LAN if you want east-west inspection)
- Pattern matcher:
Hyperscanif available (faster), otherwiseAC-BS
Enable rulesets
On the Download tab:
| Ruleset | Cost | Notes |
|---|---|---|
| ET Open | Free | Good baseline, delayed vs ET Pro by 30 days |
| ET Pro | ~$600/yr | Real-time, full threat intel |
| Abuse.ch SSL Blacklist | Free | SSL cert-based C2 detection |
| Abuse.ch URLhaus | Free | Malware URL blocking |
Enable ET Open + both Abuse.ch feeds for a free starting point. Click Download & Update Rules.
Alert vs Drop
Rules have two modes:
- Alert — log the event, pass the traffic
- Drop — block the traffic immediately (IPS mode only)
Start with Alert for 1–2 weeks, review the alert log, then move clean-looking rules to Drop.
Tuning false positives
In the Rules tab, filter by SID to suppress noisy rules:
# Common high-noise rules to review first:
ET POLICY DNS Query to .TK domain
ET POLICY Dropbox Client Observed
ET INFO Executable DownloadFor known-good internal services triggering rules: add a passlist (Intrusion Detection → Passlist).
Monitoring alerts
Services → Intrusion Detection → Alerts. Key columns: timestamp, SID, severity, source/dest IP.
For persistent monitoring, ship logs to Grafana/Loki or a syslog target (System → Settings → Logging).
Want a platform comparison? FirewallCompare ↗ has OPNsense vs pfSense IDS throughput benchmarks.
Related
OPNsense Initial Setup: Complete Installation Guide (2026)
Step-by-step walkthrough for installing OPNsense on a Protectli vault or mini-PC, covering installer options, interface assignment, WAN/LAN configuration, and first-boot hardening.
OPNsense VLAN Configuration: Segment IoT, Guest, and Trusted Networks
How to create and enforce VLANs on OPNsense to isolate IoT devices, guest Wi-Fi, and your trusted LAN — with firewall rules that block inter-VLAN traffic by default.
Best Hardware for OPNsense in 2026: Protectli, Netgate, and Mini-PC Options
Tested hardware recommendations for running OPNsense: fanless Protectli vaults, refurbished mini-PCs, and purpose-built appliances — with throughput data and price tiers.