## Suricata IPS Integration for Proxmox

This document provides a detailed guide for integrating Suricata as an Intrusion Prevention System (IPS) within your Proxmox VE environment.

### Note
- Packets will be forwarded to the IPS only after the firewall ACCEPTed them.
- Rejected/Dropped firewall packets don’t go to the IPS.

This try follow [PVE Firewall#_suricata_ips_integration](https://pve.proxmox.com/wiki/Firewall#_suricata_ips_integration)

**1. Installation and Configuration:**

```bash
# Install Suricata and necessary tools
apt-get -y install suricata jq

# Load nfnetlink_queue module
modprobe nfnetlink_queue
echo "nfnetlink_queue" > /etc/modules-load.d/nfnetlink_queue.conf

# Configure Suricata for NFQUEUE
sed -i 's/NFQUEUE=.*/NFQUEUE=0-3/' /etc/default/suricata
```

**2. Suricata Configuration:**

```bash
# Adjust interface (replace 'vmbr0' with your public interface)
sed -i 's/interface: eth0/interface: vmbr0/g' /etc/suricata/suricata.yaml

# Enable community-id and rule-reload
sed -i 's/community-id: false/community-id: true/' /etc/suricata/suricata.yaml
echo "detect-engine:" >> /etc/suricata/suricata.yaml
echo "  - rule-reload: true" >> /etc/suricata/suricata.yaml
```

**3. Rule Updates:**

```bash
# Update Suricata rules
suricata-update update-sources
suricata-update enable-source et/open
suricata-update -o /etc/suricata/rules

# Schedule automatic rule updates (every day at 02:00)
crontab -e
0 2 * * * suricata-update -o /etc/suricata/rules
```

**4. Testing Suricata:**

```bash
# Test Suricata configuration
suricata -T -c /etc/suricata/suricata.yaml -v
```

**5. Setting Suricata as IPS:**

```bash
# Edit Suricata service to run as IPS
systemctl edit suricata.service

[Service]
ExecStart=
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv
Type=simple

# Reload and restart Suricata service
systemctl daemon-reload
systemctl restart suricata
```

**6. Configuring VM/CT Firewall for IPS:**

```bash
# Edit VM/CT firewall configuration (replace '<VMID>' with your VM/CT ID)
nano /etc/pve/firewall/<VMID>.fw

[OPTIONS]
enable: 1
ips_queues: 0:3
ips: 1
```

**7. Monitoring Suricata Alerts and Statistics:**

```bash
# View Suricata alerts
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

# View Suricata IPS statistics
tail -f /var/log/suricata/stats.log | grep ips
```