-
Notifications
You must be signed in to change notification settings - Fork 2
Configuration Ruleset on pfSense
This manual provides a step-by-step guide to configure the julioliraup/Antiphishing ruleset in Suricata on pfSense. Adding this blocklist ensures active network protection against malicious phishing domains.
To add the custom antiphishing list, you must insert the ruleset URL into the extra rules configuration field.
Screen snippet showing the Suricata configuration page where the extra rule URL/link is added.
Steps:
- Navigate to Services > Suricata > Interfaces.
- Click the Edit (pencil) icon on your desired interface.
- Go to the Rules tab.
- Look for the custom/extra rules section.
- Set a name. Ex.:
AT - Paste the
https://github.com/julioliraup/Antiphishing/raw/refs/heads/main/antiphishing.rulesURL link into the configuration field. - Check checkbox md5
- Click Save.
After adding the external link, you must trigger a manual update to download the new signatures.
Screen snippet of the Suricata Updates tab highlighting the Update Rulesets button.
Steps:
- Navigate to the Updates tab in the Suricata top menu.
- Locate the Update section.
- Click the Update Rulesets button.
- Wait for the status indicator to show completion.
Once downloaded, you need to verify that the category is loaded and enabled on your interface.
Screen snippet of the interface Categories selection list inside Suricata.
Steps:
- Return to Services > Suricata > Interfaces and edit your interface.
- Click on the Categories tab.
- Locate the julioliraup/Antiphishing ruleset in the category list.
- Check the box to enable it.
- Click Save at the bottom of the page.
Test the detection engine by requesting a known malicious domain included in the list.
Screen snippet showing a browser request to the test URL and the resulting signature alert triggered in the pfSense Alerts tab.
Steps:
- From a client machine behind the pfSense, request the domain:
http://ww-brasilrodovias.click - Navigate to the Alerts tab inside Suricata on pfSense.
- Verify that an alert has been logged for this specific HTTP request.
Now just search for the SIDs in the panel julioliraup.github.io/AT. For random information security analysis in Portuguese, access julioliraup.github.io and long live free software!